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Can  an  entire  business  . . . . ; 

be  given  a  nervous  system? 


Today,  instrumented  devices  connected  by  powerful  service  management 
systems  are  infusing  intelligence  into  things  like  production  equipment 
and  supply  chains,  redefining  the  role  of  the  infrastructure  at  the  core  of 
the  enterprise.  On  a  smarter  planet,  the  datacenter  is  not  simply  the  heart 
of  IT— it’s  also  the  central  nervous  system  of  the  entire  business. 

IBM  is  helping  companies  view  their  extended  infrastructure  not  as  a 
collection  of  disconnected  pieces,  but  as  an  integrated  system  that 
connects  the  datacenter  to  all  of  the  digital  and  physical  assets  of  the 
business,  creating  a  more  dynamic  infrastructure.  From  railway  systems 
that  can  predict  and  schedule  their  own  maintenance  to  power  grids  that 
match  supply  and  demand,  we’re  already  helping  customers  improve 
service,  increase  flexibility  and  reduce  operating  costs  by  as  much  as  50%. 

A  smarter  business  needs  smarter  software,  systems  and  services. 

Let’s  build  a  smarter  planet,  ibm.com/infrastructure 
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Network  Security. 

It's  what  we're  made  of. 

MANAGED  SECURITY  SERVICES  FROM  AT&T.  When  it  comes  to 
system  security  and  protecting  your  network,  trust  your  business 
data  to  the  architect  and  overseer  of  the  world's  largest  wired  and 
wireless  network.  With  AT&T's  vast  security  expertise,  we  can  assess 
vulnerabilities,  help  protect  your  infrastructure,  detect  attacks  and 
respond  to  suspicious  activities.  Taking  care  of  the  hidden  dangers, 
so  you  can  focus  on  the  work  that's  in  front  of  you.  That's  how 
AT&T  helps  your  business  Stretch. 


att.com/dnasecurity 
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Your  world.  Delivered. 
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Your  Value  Proposition 

In  the  ’80s,  Harvard  business  professor  and  consultant  Michael  Porter  wrote 
about  value  chains.  A  simplified  explanation  of  his  theory  is  this: 

Every  company  tries  to  build  a  great  sales  department.  A  great  marketing 
department.  Efficient  financial  systems.  Excellent  manufacturing  operations. 

And  because  every  company  tries  to  make  those  functions  great,  it’s  very  hard  to 
get  a  big  competitive  advantage  that  way.  Good  departments  are  a  basic  require¬ 
ment,  and  likely  not  a  competitive  advantage. 

The  place  to  build  competitive  advantage,  Porter  said,  is  in  how  well  those 
departments  are  connected  to  one  another.  Lots  of  value  and  speed  is  lost  in 
passing  information  and  goods  between  those  functions.  A  company  that  takes  the 
friction  out  of  those  interconnections  will  be  faster,  more  nimble  and  better  than  a 
company  that  doesn’t  have  the  same  fluidity. 

If  you  apply  thisthinkingto  the  CSO’s  role,  you  can  see  howto  add  value  to  your 
company.  Instead  of  simply  trying  to  “build  a  great  security  department,”  define 
your  role  this  way:  You  are  a  connector.  Your  job  is  to  help  forge  strong  connections 
between  other  departments,  specifically  on  issues  of  operational  risk. 

The  chart  on  this  page  has  been  on  my  office  wall  for  about  four  years.  I  find  it 
very  useful  in  explaining  what  CSO  is  about.  It  just  dawned  on  me  that  you  might 
find  it  useful  too.  (Hopefully  I’m  better-looking  than  I  am  smart.) 

The  chart  depicts  how  various  executives  and  their  functions  have  overlap¬ 
ping  risk  issues.  A  CSO  doesn’t  necessarily  “own"  every  slice  of  the  pie.  But  a  good 
CSO  can  see  that  every  issue  provides  an  opportunity  to  help  connect  the  various 
functions  within  the  company.  Improve  loss  prevention,  and  you’ve  helped  both  the 
CFO  and  the  COO.  Improve  your  investigations  processes,  and  you’re  touching  both 
Human  Resources  and  Legal.  Solid  business  continuity  planning  connects  most  of 
the  functions  on  the  outside  of  the  circle. 

There  isn’t  space  to  go  into  more  detail  here,  but  you’ll  find  my  expanded 
thoughts  on  this  topic,  including  links  to  CSO’s  coverage  of  every  slice  of  the  pie, 
at  www.csoonline.com/article/508544. 

-Derek Slater,  dslater@cxo.com 
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60%  OF  PRODUCTION  VIRTUAL  MACHINES 

ARE  LESS  SECURE  THAN  THEIR  PHYSICAL  COUNTERPARTS! 


THINK  CONVENTIONAL  SECURITY  CAN  PROTECT  YOUR  VIRTUAL  ENVIRONMENT? 


Enterprises  around  the  world  are  relying  on  virtualization  to  increase  data  center  efficiency  and,  unknowingly, 
leaving  themselves  more  vulnerable.  That's  because  conventional  security  isn’t  able  to  protect  virtual  machines 
or  see  the  traffic  between  them  -  leaving  data  and  networks  exposed.  Which  is  why,  according  to  Gartner  Group, 
in  2009  sixty  percent  of  virtual  machines  are  less  secure  than  their  physical  counterparts.  But  with  Trend  Micro" 
Enterprise  Security,  powered  by  the  Trend  Micro™  Smart  Protection  Network™  infrastructure,  you  can  mitigate 
the  risk  and  maximize  the  benefits  of  virtualization.  It's  a  different  kind  of  security  that  protects  your  physical 
and  virtualized  environments  and  helps  set  the  foundation  for  your  company  to  move  confidently  into  the  cloud. 


TREND 

MICRO 


Learn  how  to  protect  your  virtualized  data  center.  Download 
the  Trend  Micro  eBook  at  trendmicro.com/thinkagain 


Securing  Your  Web  World 


©  2009  Trend  Micro  Inc.  All  rii 


trademarks  of  their  owners.  -Per  Gartner  Group  Vice  President  Neil  MacDonald,  as  qi 
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The  Other  Side 
of  Social  Media 

A  couple  of  issues  ago,  I  wrote  here 
about  the  challenges  that  organiza¬ 
tions  are  facing  from  the  advent  of 
social  networking.  By  now,  most  of  you 
are  aware  of  the  risks  that  social  networking 
poses  to  your  organization:  malware  intrusion, 
intellectual  property  leakage,  disclosure  of 
personally  identifying  information,  etc.  But  my 
message  to  you  today  is  that  social  media  isn’t 
all  gloom  and  doom. 

As  some  of  you  know,  over  the  past  several 
years,  CSO  has  launched  groups  at  various 
social  networking  sites,  including  Linkedln  and 
Facebook.  We  did  this  because  we  saw  more 
and  more  of  our  readers  experimenting  in 
this  media  as  they  sought  to  share  knowledge 
and  learn  best  practices  while  operating  in  a 
trusted  online  environment.  We  also  did  this 
because  younger  workers  are  entering  the 
workforce  and-surprise-they  rely  heav¬ 
ily  upon  the  online  communities  that  these 
platforms  provide,  for  both  their  personal  and 
professional  lives. 

So  far,  the  CSO  Forum  on  Linkedln  seems 
to  hold  the  most  promise.  As  I  write  this 
column,  the  forum  has  nearly  500  members, 
many  of  whom  are  participating  in  active 
discussions  on  a  regular  basis,  as  they  try 
to  address  the  challenges  they  have  in  their 
organizations  and  share  their  own  best  prac¬ 
tices  with  their  peers  and  fellow  CSO  Forum 
members. 


I’ve  had  the  privilege  this  year  to  meet 
with  more  than  450  security  and  technol¬ 
ogy  executives  across  North  America,  and 
social  networking  has  certainly  become  one 
ofthe  hottopics  of  discussion-not  just  the 
challenges  social  media  presents  to  their  orga¬ 
nizations,  but  also  how  they  can  benefit  from 
it.  There  is  a  general  understanding  that  there 
is  real  value  to  be  gained  from  the  sharing  of 
information  in  a  gated  community,  and  while 
this  same  sharing  of  information  happens  at 
conferences  and  roundtables,  the  trick  has 
always  been  figuring  out  how  to  extend  that 
community  beyond  the  dates  that  define  the 
boundary  of  a  conference  or  event.  The  CSO’s 
need  for  information  is  not  defined  by  time, 
but  rather  by  immediacy. 


If  you  haven’t  had  a  chance  to  visit  the  CSO 
Forum  on  Linkedln,  I  urge  you  to  give  it  a  try. 

I  think  you’ll  find  it  to  be  a  valuable  resource 
that  will  continue  to  return  value  to  you  as  you 
encounter  the  challenges  yet  to  come. 

To  join  the  CSO  Forum,  go  to  www.Linkedln. 
com,  select  Search  Groups  in  the  search  box, 
and  enter  “CSO  Forum.”  We’ll  see  you  there. 

- Bob  Bragdon,  bbragdon@cxo.com 
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Contact  HID  Global  for  a  90-day  trial:  hidglobal.com/90daytrial1 


i  seamless  access  solutions 
|  that  are  convenient  and 
cost-effective. 
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HID  Global  revolutionized  physical  access  control  by  providing  a  secure  and  convenient 
method  to  gain  entry  to  doors.  Mirroring  the  same  user  experience,  HID  is  now 
revolutionizing  logical  access.  HID  on  the  Desktop™  delivers  user-friendly  convenience 
and  improved  risk  management  for  access  to  Windows®  and  IT  networks  by  using  the 
same  card  that  opens  your  doors  today. 


What’s  on  your  mind?  Security  leaders  discuss 
and  debate  at  www.csoonlme.com 


BLOG  POST 

Why  DO 

Security 

Professionals 

Fail? 

Dan  Lohrmarm,  Michigan’s  CTO, 
says  the  main  problem  and  its 
solution  are  dear-if  not  easy 

Why  do  security  profes¬ 
sionals  fail?  As  Michi¬ 
gan’s  current  CTO  and 
director  of  infrastruc¬ 
ture  services,  I’m  very 
interested  in  this  question.  And  since  I 
was  the  state’s  CISO  for  almost  seven  years 
before  that,  I’ve  been  studying  this  ques¬ 
tion  for  quite  a  long  time.  I’ve  been  observ¬ 
ing  those  who  succeed  and  those  who  often 
seem  to  fail  to  achieve  their  goals  from  vari¬ 
ous  perspectives.  I’ve  managed  individuals 
who  sell  and/or  implement  security  solu¬ 
tions  as  well  as  IT  staff  who  rebel  when  the 
security  experts  show  up.  I’ve  chronicled 
the  good,  the  bad  and  the  ugly. 

So,  what  works,  and  what  doesn’t  seem 
to  make  much  difference  in  getting  consis¬ 
tently  positive  results?  My  answers  will 
probably  surprise  you. 

I’m  not  the  first  person  to  ask  this  ques¬ 
tion.  Conventional  wisdom  says  we  need 
more  training  and  staff  with  more  security 
certifications.  Others  say  we  need  to  pay 
information  assurance  staff  better,  gain  a 
better  understanding  of  the  bad  guys,  pro¬ 
vide  more  executive  leadership  training 
or  get  more  top-level  executive  buy-in.  Of 


course,  I  support  all  of  these  items— who 
can  argue  against  more  executive  buy-in? 

Nevertheless,  I’ve  seen  security  staff 
around  the  country  with  all  the  right  boxes 
checked,  and  others  with  none  of  the  above, 
be  successful.  For  example,  some  people 
are  able  to  obtain  the  executive  buy-in  for 
security  when  they  don’t  initially  have  it, 
while  others  who  initially  have  significant 
executive  buy-in  either  lose  that  support  or 
can’t  seem  to  use  this  advantage  to  get  clo¬ 
sure  on  key  security  projects. 

The  corollary  is  also  true.  I’ve  seen 
security  professionals  with  all  of  these 
positive  attributes  fail  miserably.  The  real¬ 
ity  is  that  most  of  these  items  are  outside 
of  your  control  when  you  show  up  and 
become  a  member  of  a  security  team.  Yes, 
you  can  choose  where  to  work  and  decide 
if  a  company  offers  the  right  training,  pay 


or  other  opportunities.  But 
in  today’s  tough  job  market 
where  salaries  and  benefits 
are  being  cut,  your  choices 
may  be  limited. 

CSOs  often  joke  that 
they  want  the  job  right  after 
a  major  breach  and  the 
loss  of  millions  of  dollars. 
The  last  guy  gets  fired  and 
you  come  in  with  all  of  the 
leverage  and  resources  to 
get  the  job  done  right.  How¬ 
ever,  this  is  a  rare  situation, 
and  most  security  staff  find 
themselves  with  a  mixture 
of  good  and  bad  in  their 
current  situations. 

So,  what  can  you  do? 
What  character  traits  matter 
most  in  determining  secu¬ 
rity  professionals’  success? 
What  practical  steps  make  a  positive  differ¬ 
ence?  Over  the  next  several  months,  I’d  like 
to  offer  you  seven  can-do  solutions.  In  this 
initial  post,  I  will  focus  on  the  first  and  per¬ 
haps  most  important  item,  in  my  view. 

Before  I  give  my  list  of  reasons  I  think 
professionals  fail,  I  want  to  provide  a  few 
caveats.  I  am  presuming  that  you  have  cer¬ 
tain  basic  skills  and  a  professional  resume. 
You  can  truly  call  yourself  a  security  pro¬ 
fessional.  If  you  don’t  know  the  difference 
between  an  encrypted  laptop  and  SSL, 
you’d  better  go  back  to  the  basics.  And 
yet,  my  guess  is  that  most  people  reading 
this  article  already  know  plenty  of  cyber 
facts.  The  Internet  is  full  of  thousands  of 
articles  on  training,  certifications,  infor¬ 
mation  assurance  careers  and  the  like.  I  am 
attempting  to  move  on  to  “the  rest  of  the 
story.” 
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Problem  l:  Security  Professionals  Are 
Known  as  Disablers 

What’s  the  problem?  Security  profes¬ 
sionals  are  often  viewed  as  the  “party 
poopers.”  This  problem  is  very  serious 
and  actually  threatens  the  credibility  of 
every  security  consultant.  Are  you  bring¬ 
ing  problems  or  solutions?  Are  you  viewed 
negatively? 

An  industry  example  of  this  involves 
cloud  computing.  Most  of  the  technology 
world  is  rushing  into  cloud  computing. 
While  thousands  of  positive  articles  are 
being  written  about  the  ROI,  cost-saving 
opportunities  and  transformational  aspects 
of  new  cloud  architectures,  the  security 
world  is  busy  printing  articles  about  why 
cloud  computing  either  won’t  work,  is  a 
bad  idea,  or  will  lead  to  more  identity  theft, 
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security  problems  and  richer,  fatter  bad 
guys.  But  can  our  cyber  security  situation 
actually  get  much  worse  than  it  is  now? 

What’s  worse  is  that  security  profes¬ 
sionals  only  read  the  bad  news  online,  while 
the  rest  of  the  technology  community  reads 
about  the  good  aspects  of  cloud  computing. 
Most  security  experts  are  feeding  them¬ 
selves  the  wrong  intellectual  food.  (Tip  l: 
Read  more  about  the  positives  associated 
with  new  technologies  and  not  just  how 
easy  it  is  to  hack.) 

Solution  l:  Be  Known  as  an  Enabler 
So,  what  can  be  done?  Stop  saying  no  to 
your  customers.  Offer  secure  solutions.  Be 
an  enabler.  Answer  the  question:  How  can 
we  ensure  that  this  new  project  is  delivered 
on  time,  on  budget  and  with  the  right  level 
of  security?  Be  known  as  a  can-do  person, 
not  a  “Puddleglum.”  (Read 
C.S.  Lewis  if  you  don’t 
know  this  character.) 

At  one  level,  this  advice 
seems  obvious.  But  I  chal¬ 
lenge  you  to  have  lunch 
with  a  customer  who  will 
talk  openly  and  honestly 
with  you  about  your  pro¬ 
fessional  image.  Ask  them 
these  types  of  questions: 
How  am  I  perceived?  Why 
doesn’t  XYZ  (fill  in  the 
blank  with  a  business  client 
who  doesn’t  get  along  with 
you)  like  me?  Why  doesn’t 
ABC  (fill  in  the  blank  with 
someone  else  who  is  well 
regarded  but  avoids  you) 
respect  me?  Ask  probing 
questions.  Get  different 
perspectives. 

Your  goal  is  to  find  out 
how  well  balanced  you  are. 
You  want  to  be  known  as  an 
enabler.  Hopefully  you  agree 
that  you  want  to  be  charac¬ 
terized  as  someone  who  is 
fair  and  well  respected  by 
the  majority.  In  my  experi¬ 
ence,  security  personnel 
are  often  discounted  as  too 
pessimistic  and  negative. 
If,  on  the  other  hand,  you 
find  that  you  are  viewed  as 
an  enabler,  ask  about  the 
perception  of  the  security 
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organization  and  the  people  within  it.  Help 
those  who  need  to  change  this  aspect  of  their 
security  approach,  since  the  organizational 
image  also  impacts  your  career. 

No  doubt,  successful  security  pro¬ 
grams  result  from  successful  people, 
processes  and  technology.  There  are  many 
aspects  of  our  jobs  that  we  cannot  control. 
But  I  suggest  taking  a  hard  look  at  what 
you  can  control  and  making  any  necessary 
changes  to  your  approach  as  a  first  step. 
Be  an  enabler,  and  you’ll  deliver  better 
security. 

What  are  your  thoughts  on  the  charac¬ 
teristics  of  successful  security  profession¬ 
als?  Why  do  security  professionals  fail  to 
achieve  their  desired  professional  goals?  ■ 
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TRENDS,  STATS  AND  FAST  FACTS 
Edited  by  Bill  Brenner 


The  Conficker  worm  has  passed  a  dubious 
milestone.  It  has  now  infected  more  than 
7  million  computers,  security  experts 
estimate. 

By  late  October,  researchers  at  the 
volunteer-run  Shadowserver  Foundation  had 
logged  computers  from  more  than  7  million 
unique  IP  addresses  that  had  been  infected  by 
the  known  variants  of  Conficker. 

They  have  been  able  to  keep  track  of 
Conficker  infections  by  cracking  the  algorithm 
the  worm  uses  to  look  for  instructions  on  the 
Internet  and  placing  their  own  “sinkhole"  serv¬ 
ers  on  the  Internet  domains  it  is  programmed 
to  visit. 

Conficker  has  several  ways  of  receiving 
instructions,  so  the  bad  guys  have  still  been 
able  to  control  PCs,  but  the  sinkhole  servers 
give  researchers  a  good  idea  of  how  many 
machines  are  infected. 

Although  Conficker  is 
probably  the  most  well-known 
computer  worm,  PCs  continue 
to  get  infected  by  it,  says  Andre 
DiMino,  cofounder  of  The 
Shadowserver  Foundation.  “The 
trend  is  definitely  increasing,  and 
breaking  7  million  is  pretty  much  a  landmark 
event,”  he  says. 

Conficker  first  caught  the  attention  of  secu¬ 


rity  experts  in  November  2008  and  received 
widespread  media  attention  in  early  2009.  It 
has  proved  remarkably  resilient  and  is  adept  at 
reinfecting  systems  even  after  being  removed. 

Members  of  the  Conficker  Working 
Group,  an  industry  coalition  set  up  last  year 
to  deal  with  the  worm,  suspect  that  many  of 
the  infected  PCs  are  running  bootlegged  cop¬ 
ies  of  Microsoft  Windows,  and  are  therefore 
unable  to  download  the  patches  or  Microsoft’s 
Malicious  Software  Removal  Tool,  which  could 
get  rid  of  the  infection.  So  in  China  and 
Brazil,  for  example,  Conficker  is  very 
common. 

Despite  its  ubiquity,  Con¬ 
ficker  has  rarely  been  used  by 
the  criminals  who  control  it. 

Why  it  hasn’t  been  used 
more  is  a  bit  of  a  mystery. 

Some  members  of  the  Con¬ 
ficker  Working  Group  believe  that  Conficker’s 
author  may  be  reluctant  to  attract  more  atten¬ 
tion,  given  the  worm’s  overwhelming  success 


at  infecting  computers. 

“The  only  thing  I  can  guess  at  is  the  person 
who  created  this  is  scared,”  says  Eric  Sites,  chief 
technology  officer  with  Sunbelt  Software  and  a 
member  of  the  working  group.  “This  thing  has 
cost  so  many  companies  and  people  money  to 
get  fixed,  if  they  ever  find  the  guys  who  did  this, 
they’re  going  away  for  a  long  time.” 

IT  staffers  often  discover  a  Conficker  infec¬ 
tion  when  a  user  is  suddenly  unable  to  log  in 
to  a  computer.  That  happens  because  infected 
machines  try  to  connect  to  other  computers 
on  the  network  and  guess  their  passwords, 
trying  so  many  times  that  they  are  eventually 
locked  out  of  the  network. 

But  the  cost  of  the  worm  would  be  even 
greater  if  Conficker  were  to  be  used  for  a  dis¬ 
tributed  denial-of-service  attack,  for  instance. 

“This  is  certainly  a  botnet  that  could  be 
weaponized,”  DiMino  says.  “When  you  have 
a  net  of  this  magnitude,  the  sky’s  the  limit  in 
terms  of  what  could  be  done.” 

-Robert  McMillan 


One  of  the  most  prolific  and 
destructive  worms  in  years 
has  hijacked  more  than 
7  million  computers 


THE 

WRATH  OF 
CONFICKER 


Illustration  by  Belle  Mellor 
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BY  THE  NUMBERS 

4,200 

Number  of  major 
global  retailers  the 
Centre  for  Retail 
Research  surveyed 
about  key  trends  in 
retail  shrinkage  and 
crime  in  the  past  year 

$114.8  B 

Losses  retailers 
suffered  in  total 
shrinkage  due  to  theft 

5.9% 

Percentage  by 
which  shrinkage 
increased  this  year 
over  last  year 

1.35% 

Last  year’s  shrink  rate 

8 

Number  of  people 
indicted  recently  for 
allegedly  hacking  into 
a  computer  network 
operated  by  credit 
card  processing 
vendor  RBS  WorldPay 

59  M 

Amount  stolen 
during  that  hack 

12 

Hours  it  took  the 
alleged  hackers  to 
steal  the  $9  million 


Q&A 

Top  Microsoft  Security  Architect: 
Windows  7  Will  Slash  Malware 

Jimmy  Kuo,  principal  architect  for  Microsoft’s  Malware 
Protection  Center,  has  high  hopes  that  Windows  7’s  security 
features  will  help  reverse  attack  trends  identified  in  the  seventh 
volume  of  the  software  giant’s  Security  Intelligence  Report 


Microsoft  caused  the  IT  security  commu¬ 
nity  more  than  a  little  heartburn  when 
it  included  fixes  for  the  barely-out-of- 
the-box  Windows  7  in  its  October  2009 
Patch  Tuesday  security  update. 

Nevertheless,  Jimmy  Kuo,  principal  archi¬ 
tect  for  Microsoft’s  Malware  Protection  Center, 
has  high  hopes  that  Windows  7  will  ultimately 
be  seen  as  the  major  turning  point  where  mal¬ 
ware  writers  finally  met  their  match.  In  the  fol¬ 
lowing  Q&A,  Kuo  talks  about  the  top  takeaways 
from  the  latest  Microsoft  security  intelligence 
report  and  why  he  believes  Windows  7  will 
ultimately  shut  the  door  on  a  lot  of  the  malware 
activity  outlined  in  it. 

What  were  some  of  the  more  pervasive 
malware  threats,  according  to  the  latest 
report? 

Kuo:  Conficker  was  the  top  worm  threat 
detected  for  the  enterprise,  because  its 
method  of  propagation  works  more  effectively 
within  a  firewalled  network  environment. 

Then  there’s  Taterf,  which  targets  multi¬ 
player  online  role-playing  games  and  has 
increased  156  percent,  from  2  million  last  year 
to  4.9  million  in  this  year.  Win32/Taterf  steals 
your  online  game  log-in  details.  It  spreads  by 


copying  itself  to  the  root  of  all  fixed  and 
removable  drives  on  the  infected  system, 
ensuring  it  gets  executed  by  creating  an 
‘autorun. inf"  file.  After  its  first  day  in  MSRT, 
Taterf  components  had  been  removed 
from  over  700,000  machines.  It  illustrates 
the  need  for  organizations  to  have  guide¬ 
lines  for  removable  drives  (such  as  thumb 
drives)  and  evaluate  how  connections  are 
made  to  outside  machines. 

The  report  did  indicate  some  victories 
in  dealing  with  Win32/Zlob,  a  family  of 
Trojans  that  often  pose  as  download¬ 
able  media  codecs.  What  happened? 

This  was  a  top  threat  for  the  past  two 
years.  At  its  peak,  we  had  to  remove  it 
from  more  than  21.1  million  systems.  That 
has  decreased  nearly  tenfold  to  2.3  million 
disinfections  in  the  first  half  of  2009. 

All  this  activity  is  based  on  what  the  world 
looked  like  before  the  official  release  of 
Windows  7.  Will  we  continue  to  see  similar 
data  in  future  reports  or  will  security  fea¬ 
tures  built  into  the  new  operating  system 
dramatically  turn  the  tide? 

A  lot  of  the  security  enhancements  worked 
into  the  development  of  Windows  7  were 
based  on  the  threats  these  reports  have 
outlined  in  recent  years.  DirectAccess,  for 
example,  offers  remote  workers  the  same 
level  of  seamless  and  secure  connectivity  that 
they  have  in  the  office.  The  system  automati¬ 
cally  creates  a  secure  tunnel  to  the  corporate 
network  and  workers  don’t  have  to  manually 
substantiate  a  connection.  DirectAccess  also 
allows  IT  administrators  to  patch  systems 
whenever  a  remote  worker  is  on  the  network. 
We’re  pretty  hopeful  that  this  will  lead  to  a 
reduction  in  the  malware  we’ve  been  seeing. 

It  should  also  be  noted  that  the  newer  the  05, 
the  less  malware  we  tend  to  find,  because  of 
the  higher  patch  rate.  All  previous  patches 
have  been  worked  into  Windows  7. 

-Bill  Brenner 
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Verbatim... 

Shots  heard  ’round  the 
security  world 


“I  have  no  faith  in 
the  U.S.  government  to 
implement  useful  strategies 
and  security  measures  that 
don't  fall  completely  apart  when 
political  cowards  take  the  reins.” 

Gregory  Anderson,  desktop  security  SEPM 
lead  manager  at  Qwest  Communications, 
regarding  his  lack  of  faith  in  a 
federal  data  security  law 


“YOU 

have  to  burn 
your  hand  to  know 
the  stove  is  hot.” 

451  Group  analyst  Josh 
Corman,ontheneedfor 
companies  to  make  some 
security  mistakes  in  orderto 
get  their  defenses  right 


“Windows  7 
is  definitely  by  far 
the  most  secure  system 
they've  shipped.  I  guess  the 
question  that  everybody  is  asking 
right  now  is,  ‘Is  this  enough?'  ” 

Dave  Aitei,  chief  technology  officer  with 
Immunity,  a  security  company  that  spends 
a  lot  of  time  finding  the  latest  software 
bugs,  regarding  Microsoft’s  latest 
version  of  Windows 


You  want  an  authentication  solution  that’s  rock-solid. 
Shouldn’t  you  expect  the  same  of  the  company  behind  it? 
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CSO  magazine  got  a 
behind-the-scenes 
tour  of  Hoover  Dam 
security  operations 
in  September.  Top: 
Hydro-electric 
generators  at  the 
bottom  of  the  data. 
Below:  vehicles  y 
passing  over  the  dam 
one  of  many  security 
warnings  posted  iffy 
around  the  site. 


>>  BRIEFING 


carrying  luggage,  and  enclosed-box  trucks 
are  prohibited  from  crossing  the  road  atop 
the  dam.  (That  traffic  is  diverted  south  to  a 
Colorado  River  bridge  at  Laughlin,  Nev.)  “Cars 
are  searched  on  a  random  basis  or  if  there  is  a 
reasonable  suspicion,”  Gregson  said. 

Security  training  and  exercises  for  the 
police  and  security  officers  is  conducted  fre¬ 
quently,  often  with  other  federal  and  local  law 
enforcement  agencies  to  help  them  become 
familiar  with  the  facility.  The  Hoover  Dam 
police  department  partners  with  many  of  the 
neighboring  law  enforcement  agencies.  “They 
conduct  joint  training  with  us,”  Gregson  said. 

Meanwhile,  a  new  Hoover  Dam  bypass  and 
bridge  is  under  construction,  scheduled  for 
completion  next  year.  It  will  divert  U.S.  93  traffic 
downstream  from  the  dam.  Once  the  bypass  is 
completed,  the  road  atop  the  dam  will  no  longer 
be  a  direct  route  between  Nevada  and  Arizona. 

Those  managing  dam  security  are  bound  by 
a  host  of  government  regulations  and  security 
standards,  including  Homeland  Security 
Presidential  Directives,  and  regulations  and 
standards  enforced  by  the  North  American 
Electrical  Reliability  Council.  Linder  Presidential 
Directive  12,  employees’  and  contractors’  iden¬ 
tities  and  their  suitability  for  work  on  the  site 
must  be  confirmed  through  background  checks. 

“Everyone  undergoes  some  form  of  identity 
verification  and  must  display  their  identifi¬ 
cation  badge  when  they  are  on  the  facility,” 
Gregson  said.  -B.B. 


Guiding  us  was  Peter  Gregson,  regional 
security  officer  for  Reclamation’s  Lower 
Colorado  Region.  The  tour  began  at  the  Hoover 
Dam  Police  Department  in  the  Security  Com¬ 
mand  Center,  where  the  security  staff  moni¬ 
tors  the  various  security,  access-control  and 
communications  systems  on  a  24/7  basis. 

In  addition  to  the  Hoover  Dam  police  force, 
the  dam  employs  contract  security  personnel 
to  man  vehicle  checkpoints  on  the  Nevada  and 
Arizona  entrances. 

Gregson  said  many  of  the  security  controls, 
including  such  things  as  the  checkpoints  and 
command  center,  were  instituted  in  direct 
response  to  the  9/11  terrorist  attacks. 

Commercial  vehicle  traffic  across  the  dam 
is  restricted.  At  the  checkpoints,  U-Haul- 
type  vehicles  are  allowed  in  after  a  search  is 
conducted,  while  semi-trailer  trucks,  buses 


PSH 


C-9M1 


.iii.W-'-  ' 


CRITICAL  INFRASTRUCTURE 

HOW  9/11 
Shaped  Hoover 
Dam  Security 
Operations 

Here’s  how  the  Bureau  of 
Reclamation,  a  part  of  the  U.S. 
Department  of  the  Interior, 
protects  a  national  icon 

Built  during  the  Great  Depression,  Hoover 
Dam  is  one  of  America’s  great  histori¬ 
cal  landmarks.  Securingthe  dam  and 
providing  a  safe  experience  for  its  many 
visitors  requires  a  robust  security  program. 

Security  officials  from  the  Bureau  of  Recla¬ 
mation  gave  CSOonline  a  tour  of  the  facilities 
in  mid-September,  showing  us  highlights  of  the 
various  security  programs. 

[See  more  images  from  inside  Hoover  Dam: 
www.csoonline.com/article/505663 ] 

The  Art  Deco  concrete  structure,  located 
about  an  hour  outside  Las  Vegas  in  the  Black 
Canyon  of  the  Colorado  River,  straddling  the 
Nevada-Arizona  border,  was  the  largest  hydro¬ 
electric  generating  station,  and  the  world’s 
largest  concrete  structure,  when  completed 
in  1936.  More  than  75  years  later,  Hoover  Dam 
continues  to  fill  its  multiple  roles  in  flood 
control  and  power  generation,  and  as  a  major 
supplier  of  water  in  the  southwestern  U.S. 

The  site  is  practically  a  city  in  itself,  with 
its  own  police  department  and  other  security 
services.  Some  security  procedures  and  sys¬ 
tems  designed  to  deter  and  detect  threats  and 
defend  the  facility  were  visible;  however,  much 
of  the  security  activity  is  hidden. 
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Security 

Wisdom 

Watch 


Thumbs  up:  OWASP:  The  Open 
Web  Application  Security 
Project  has  been  pushing 
aggressively  to  do  something 
about  the  sloppy  state  of  app 
security.  One  key  goal  is  to  get  app 
writers  to  make  security  a  central 
part  of  the  development  process.  CSO 
magazine  witnessed  one  such  effort 
last  month-The  AppSec  D.C.  confer¬ 
ence  in  Washington,  where  attendees 
were  treated  to  a  wealth  of  workshops, 
presentations  and  fresh  data  on  the 
latest  security  threats.  Awareness  is 
key  in  this  fight,  and  OWASP  remains  a 
leader  in  this  regard. 

Thumbs  up:  Josh  Corman. 

The  451  Group  analyst  ticks 
off  a  lot  of  QSA  types  when 
he  compares  antivirus  tools 
and  firewalls  to  wooden  shields 
and  swords  and  calls  PCI  DSS  a  devil. 
But  somebody  has  to  challenge  the 
conventional  wisdom  and  make 
companies  rethink  their  security 
programs,  and  he  does  it  well. 

Thumbs  down:  Federal  data 
security  legislation.  Given 
all  the  cries  for  one  simpli¬ 
fied  cybersecurity  law  that 
trumps  all  the  state  laws,  there 
sure  are  a  lot  of  misgivings  about 
the  notion  of  Washington  enforc¬ 
ing  security  compliance.  One  would 
think  Washington  has  a  real  problem 
enforcing  the  standards  it  sets. 

Thumbs  down:  Smart 
phones  in  the  courtroom. 
Jurors  using  their  iPhones 
to  tweet  details  of  the  cases 
they’re  hearing  to  friends,  fam¬ 
ily  and  colleagues?  It’s  happening 
at  a  disturbing  rate.  Court  officers: 

Tell  jurors  to  hand  over  their  phones 
before  taking  their  seat  on  the  panel. 

-B.B. 


PHYSICAL  SECURITY 

Counterfeit  Money: 
Still  Going  Strong 


Chad  Wasilenkoff,  CEO  of 
banknote-maker  Fortress 
Paper,  talks  about  where  and 
how  counterfeiters  are  still 
successfully  plying  their  trade 

In  the  month  of  October,  U.S.  law 
enforcement  officials  arrested  people 
in  North  Carolina,  Virginia  and  Kentucky 
for  trying  to  use  counterfeit  money. 
Earlier  this  year,  the  U.S.  Secret 
Service  seized  $8.4  million  in  fake  U.S. 
currency  that  was  being  printed  in  Peru. 

Though  government  statistics  indicate 
that  counterfeit  currency  represents  less 
than  3  percent  of  the  bills  in  circulation  in 
the  U.S.,  Chad  Wasilenkoff  says  technol¬ 
ogy  has  allowed  counterfeiters  around 
the  world  to  become  more  sophisticated, 
and  that  percentage  is  much  higher  in 
other  countries. 

Wasilenkoff  is  CEO  of  Fortress  Paper, 
which  manufactures  security  papers 
such  as  banknotes,  passport  pages  and 
visa  stickers.  Wasilenkoff  spoke  with  CSO 
about  the  global  state  of  counterfeiting 
in  2009. 

Fortress  makes  several  products 
that  might  be  targeted  for  counter¬ 
feiting.  Are  the  concerns  different  for 
each  product? 

Wasilenkoff:  They  differ  for  each 
product  and  also  for  each  country.  Some 


countries  have  a  high  threshold  or  toler¬ 
ance  for  counterfeiting. 

They  recognize  they  aren’t  getting  the 
absolute  most  premium  product  and  that 
they  are  not  implementing  every  single 
security  feature,  so  they  know  it  will  result 
in  a  higher  level  of  counterfeiting. 

But  it’s  a  cost-benefit  analysis.  They 
recognize  that  many  more  security 
features  would  be  just  that  much  more 
expensive.  So  whether  it’s  banknotes,  visa 
stickers,  passport  pages  or  something 
else,  from  country  to  country,  there  are 
variations  of  how  many  security  features 
they  want  to  put  in.  It  all  comes  down  to 
cost-benefit  analysis. 

in  which  countries  does  a  lot  of 
counterfeiting  take  place?  How  wide¬ 
spread  is  it? 

Maybe  five  or  10  years  ago,  most  of 
the  counterfeiting  of  banknotes  was  done 
with  U.S.  dollars.  There  were  several 
large  hubs  in  South  America,  particularly 
Colombia. 

But  things  are  starting  to  migrate. 
China  is  really  starting  to  pick  up  with 
counterfeiting  operations;  not  only  with 
their  own  currency  but  also  other  interna¬ 
tional  currency. 

There  is  also  a  steady  amount  of  coun¬ 
terfeiting  of  the  euro,  which  is  typically 
done  in  Eastern  Europe. 

-Joan  Goodchild 
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This  USB  drive  contains  your.. 

company  secrets,  confidential  customer  list  and  the 
names  and  salaries  of  your  employees. 


It's  about  to  be  sold 
to  your  competitor. 


How  did  you  know? 

because...  Spector  360  is  watching 


■  ill! 
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Spector  360 


"Spector  360  is  the 
most  mature 
surveillance  offering 
for  business  use." 

-  PC  Magazine  Editors' Choice 


SpectorSoft* 


The  latest  insider  theft  statistics  show  that  six  out  of  ten  employees  steal  company 
confidential  data  by  saving  it  to  USB  and  other  portable  drives,  sending  it  through  email  and 
chat  or  printing  it  out.  Employees  may  steal  your  information  to  leverage  a  new  job  or  for 
financial  gain.  Others  accidentally  or  intentionally  leak  sensitive  and  confidential  information 
on  a  routine  basis. 

Keep  Your  Company  Confidential  Information  Safe  With  Spector  360 

Spector  360,  the  leading  company-wide  monitoring  and  surveillance  software  lets  you  know 
EXACTLY  what  your  employees  are  doing  with  your  company  data.  Spector  360  shows  all 
files  transferred,  documents  printed,  all  emails,  chats,  instant  messages  sent  and  received, 
and  every  web  site  visited.  Spector  360  records  all  program  and  user  activity  and  even 
detects  and  sends  you  an  alert  if  there  is  a  threat  to  your  data.  With  Spector  360,  you  can 
quickly  observe  how  any  or  all  employees  are  using  company  resources  and  information, 
with  easy  to  read,  high  level,  customizable  reports  and  charts.  You  can  even  drill  down  to 
screen  snapshots  if  you  see  an  area  of  concern. 

Don't  let  your  employees  become  statistics.  Protect  your  company,  employee  and  client  data 
with  Spector  360,  the  most  widely  used  and  trusted  employee  monitoring  tool  available. 


Take  the  next  step: 


Call  us  today  at:  Visit  us  online  at: 

1 .877.288.5699  www.Watchwith360.com 

s _ 


'•0  Copyright  2009  SpectorSoft  Corporation.  All  rights  reserved.  PC  Magazine  Editors’Choice  Award  Logo  Is  a  trademark  of  Ziff  Davis  Publishing  Holdings  Inc  Used  under  license 


TACTICS 


TOOLS,  TECHNOLOGIES  AND 

By  Mary  Bran  del 


Current  Events 


SIEM  software  can  analyze  your  network  log  data  to  quickly  identify 
threats  and  incidents.  But  how  to  find  the  right  package? 


ecurity  information  and  event 
management  (SIEM)  technology 
performs  two  main  functions, 
according  to  Gartner: 

l.  Security  event  management 
(SEM):  Analyzes  log  and  event  data  in  real 
time  to  provide  threat  monitoring,  event 
correlation  and  incident  response.  Data 
can  be  collected  from  security  and  network 
devices,  systems  and  applications. 

2.  Security  information  management 
(SIM):  Collects,  analyzes  and  reports  on 
log  data  (primarily  from  host  systems  and 
applications,  but  also  from  network  and 
security  devices)  to  support  regulatory 
compliance  initiatives,  internal  threat  man¬ 
agement  and  security  policy  compliance 
management. 

Market  Overview 

Worldwide  revenue  for  SIEM  was  $663.3  mil¬ 
lion  in  2008  and  is  expected  to  grow  to 
$1.4  billion  in  2013,  which  is  a  compound 
annual  growth  rate  of  16  percent,  according 
to  IDC.  Meanwhile,  Gartner  estimates  that 
SIEM  was  a  $1  billion  market  in  2008,  with 
growth  of  30  percent  that  year. 

Historically,  event  management— or 
SEM— has  driven  this  market,  but  today’s 
growth  is  mainly  related  to  regulatory 
compliance,  with  secondary  requirements 
for  effective  threat  monitoring,  according  to 
Kelly  Kavanaugh,  an  analyst  at  Gartner.  For 
example,  the  Payment  Card  Industry  Data 


Security  Standard  (PCI  DSS)  requires  log 
management,  and  the  Sarbanes-Oxley  Act 
requires  privileged  user  reporting,  he  says. 

Traditional  SEM  vendors  have 
responded  by  orienting  products  previ¬ 
ously  geared  toward  real-time  event  alerting 
and  management  toward  log  management 
functionality.  For  instance,  ArcSight  added 
its  Logger  appliance  and  additional  deploy¬ 


ment  options  to  address  compliance.  Mean¬ 
while,  SIM  players  such  as  SenSage  and 
LogLogic  are  adding  real-time  capabilities. 

Jon  Oltsik,  an  analyst  at  Enterprise  Strat¬ 
egy  Group,  sees  the  market  differently.  The 
main  driver,  he  says,  is  the  need  to  keep  up 
with  security  complexity.  “There  is  an  acute 
awareness  that  security  attacks  are  more 
sophisticated  and  that  security  at  a  system 
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level  is  harder  than  at  the  device  level,”  he 
says.  Compliance  is  the  second  most  impor¬ 
tant  factor,  he  says,  and  the  third  is  the  need 
to  replace  early  SIEM  platforms  that  don’t 
scale  or  provide  the  right  level  of  analytics 
and  reporting  capabilities. 

Forrester  expects  consolidation  among 
the  20 -plus  SIEM  vendors  in  the  next  12 
to  3 6  months,  as  well  as  more  cloud-based 
SIEM  services. 

Core  Capabilities 

According  to  Gartner,  five  critical  capabili¬ 
ties  differentiate  SIEM  products,  whether 
you  use  them  for  SEM,  SIM  or  both. 

Log  management.  This  includes  func¬ 
tions  that  support  the  cost-effective  col¬ 
lection,  indexing,  storage  and  analysis  of 
a  large  amount  of  information,  including 
log  and  event  data,  as  well  as  the  ability  to 
search  and  report  on  it.  Reporting  capa¬ 
bilities  should  include  predefined  reports, 
ad  hoc  reports  and  the  use  of  third-party 
reporting  tools. 

Compliance  reporting.  Key  capabilities 
include  user  and  resource  access  reporting. 

SEM.  This  includes  real-time  data  col¬ 
lection,  a  security  event  console,  real-time 
event  correlation  and  analysis,  and  incident 
management  support. 

Deployment  and  support  simplicity. 
The  need  for  compliance  has  encouraged 
smaller  security  staffs  to  adopt  SIEM,  and 
these  buyers  need  predefined  functions 
and  ease  of  deployment  and  support  over 
advanced  functionality  and  extensive  cus¬ 
tomization.  Large  volumes  of  event  data 
will  be  collected,  and  a  wide  scope  of  analy¬ 
sis  reporting  will  be  deployed.  This  calls 
for  an  architecture  that  supports  scalability 
and  deployment  flexibility. 

User  and  resource  access  analysis. 
This  capability  defines  access  policies  and 
discovers  and  reports  on  exceptions.  It 
enables  organizations  to  move  from  activ¬ 
ity  monitoring  to  exception  analysis.  This  is 
important  for  compliance  reporting,  fraud 
detection  and  breach  discovery. 

DOs  and  DON’Ts 

DO  include  multiple  stakeholders.  When 
developing  requirements,  be  sure  to  col¬ 
lect  them  from  the  range  of  groups  that 
may  benefit  from  collected  log  data.  This 
includes  internal  auditors,  compliance,  IT 
security  and  IT  operations. 


EVALUATION 

CRITERIA 

Mike  Mahoney,  manager  of  IT 
security  and  compliance  at  Liz 
Claiborne  Inc.,  used  the  following 
evaluation  criteria  when  choos¬ 
ing  a  SIEM  product,  eventually 
deciding  on  Q1  Labs'  QRadar. 

He  asked  several  teams  within 
the  organization  to  rank  these 
criteria  in  terms  of  their  impor¬ 
tance  to  getting  their  jobs  done, 
both  for  statistical  work  (trend¬ 
ing,  historical,  matrices  and 
reporting)  and  for  correlation 
(normalization  and  analyzing). 

Threat  identification:  Raw 

log  form  vs.  descriptive. 

Threat  tracking:  Ability  to 
track  through  the  various  events, 
from  source  to  destination. 

Policy  enforcement:  Abil¬ 
ity  to  enforce  defined  polices. ' 

Application  analysis: 

Ability  to  analyze  applica¬ 
tion  at  Layer  7  if  necessary. 

Business  relevance  of 
events:  Ability  to  assign  busi¬ 
ness  risk  to  events  and  have 
weighted  threat  levels. 

Measuring  changes  and 
improvements:  Ability  to  track 
configuration  changes  to  devices. 

Asset-based  information: 

Ability  to  gather  information 


There  are  certainly  customers  just  look¬ 
ing  for  log  management  because  of  a  compli¬ 
ance  requirement,  and  they  may  not  have  the 
internal  resources  to  do  anything  but  collect 
and  document  logs,  Kavanaugh  says.  “But 
many  buyers  realize  the  capabilities  inher¬ 
ent  in  log  management  software— the  abil¬ 
ity  to  collect,  search  and  run  reports— are 
valuable  to  security  operations.”  Once  the 
security  group  gets  involved,  he  says,  they 
look  at  including  network  security  devices, 
routers  and  other  areas  of  the  network  envi¬ 
ronment  where  they  don’t  have  great  insight, 
as  well  as  the  real-time  component. 

When  selecting  a  SIEM  product  at  Liz 


on  devices  on  the  network. 

Anomalous  behavior 
(server):  Ability  to  trend 
and  see  changes  in  how  it 
communicates  to  others. 

Anomalous  behavior 
(network):  Ability  to  trend 
and  see  how  communications 
pass  throughout  the  network. 

Anomalous  behavior 
(application):  Ability  to  trend 
and  see  changes  in  how  it 
communicates  to  others. 

User  monitoring:  User 
activity,  logging  in,  appli¬ 
cations  usage,  etc. 

Mahoney  also  asked  the 
teams  to  respond  to  the  follow¬ 
ing  questions: 

■  What  devices  would  be 
candidates  for  log  and 
event  collection? 

■  What  policies  would 
you  like  to  track? 

■  What  information  would  you 
like  to  have  available  if  a  threat 
or  vulnerability  was  identified? 

■  What  sort  of  devices  and 
information  would  be 
valuable  for  your  area,  in 
terms  of  asset  collection? 

■  What  length  of  time  for 
access  to  current/archival 
information  is  acceptable? 

-M.B. 

Claiborne,  Mike  Mahoney,  manager  of  IT 
security  and  compliance,  involved  architec¬ 
ture  leaders  from  eight  groups,  asking  them 
to  respond  to  an  in-depth  questionnaire 
regarding  what  would  help  them  improve 
their  jobs.  It  ultimately  took  six  months  to 
complete  the  evaluation.  “I  wanted  this  to 
be  a  tool  they  would  benefit  from  beyond 
log  collection,”  Mahoney  says. 

“Ultimately,  the  point  of  intersection  is 
log  management,  but  analytics  might  be 
done  by  two  different  platforms,”  Oltsik 
says.  “Whether  you  need  security  or  com¬ 
pliance,  you’re  using  the  same  log  data.” 

DO  emphasize  correlation  capabilities. 
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Critical  Capabilities 

Gartner  rated  SIEM  products  on  the  five  capabilities 
it  considers  critical,  on  a  scale  from  1.0  to  5.0.  CSO 
included  five  vendors  that  garnered  the  highest  market 
share,  according  to  I  DC.  Here  are  the  results. 
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Correlation  is  a  key  aspect  of  SIEM  systems, 
says  Larry  Whiteside,  associate  director  of 
information  security  at  the  Visiting  Nurse 
Service  of  New  York  (VNSNY).  SIEM  sys¬ 
tems  normalize  logs  from  various  systems, 
which  helps  you  see  the  most  important  data 
you  need  out  of  those  logs  in  a  readable  for¬ 
mat.  They  also  help  you  correlate  events  that 
the  human  eye  could  never  perceive  but  that 
correlation  rules  can  detect.  “If  you  use  cor¬ 
relation  rules,  you  can  run  a  report,  and  two 
events  that  are  to  minutes  apart  will  be  right 
on  top  of  each  other  because  they’re  directly 
related  to  each  other,”  Whiteside  says.  “If 
somebody  does  something  once  every  30 
minutes,  there’s  no  way  of  looking  at  the  log 
in  the  traditional  sense  and  finding  that.” 

Mahoney  concurs  that  this  is  beyond 
human  capability.  One  of  the  PCI  DSS 
requirements,  he  says,  is  to  review  log 
events  on  a  daily  basis,  which  can  involve 
millions  of  events  per  day.  “The  strength  of 
SIEM  is  the  ability  to  normalize  the  data  and 
present  it  in  a  standard  format,”  he  says.  At 
Liz  Claiborne,  it  takes  one  person  two  hours 
a  day  to  review  log  events,  and  that’s  thanks 
to  rules  built  for  specific  occurrences. 

DO  look  for  usability.  When  Whiteside 
chose  Symantec’s  SIEM  product,  he  was 
ultimately  sold  on  the  usability  of  the  inter¬ 
face,  as  well  as  how  easy  it  was  to  set  up  pol¬ 
icies  and  rules,  create  manual  reports  and 
schedule  automated  reports.  This,  he  says, 
really  helped  weed  out  numerous  players. 

Symantec’s  DeepSight  Threat  Manage¬ 
ment  System  feature,  for  example,  provides 
updates  on  threats  going  on  in  the  world 
and  correlates  that  information  with  alerts 
coming  from  your  own  devices.  “I  might  get 
an  alert  from  the  intrusion  detection  system 
or  firewall  that  is  rated  as  low,  but  when  it’s 
correlated  with  the  threat  management 
information,  which  says  it’s  seen  a  spike  in 
this  activity,  it  will  raise  the  criticality  of  the 
alert,”  Whiteside  says.  “I  get  a  real-world- 
type  scenario.”  He  can  also  put  controls 
in  place  so  that  if  the  activity  spikes,  he’s 
already  protected. 

DO  look  for  ease  of  building  correlation 
rules.  In  addition  to  basic  usability,  it’s  also 
important  to  look  more  deeply  into  how 
easily  the  system  replicates  what  you  nor¬ 
mally  ask  humans  to  do,  says  Brian  Cincera, 
senior  director  of  worldwide  technology 
infrastructure  at  Pfizer.  An  example  is  cre¬ 
ating  correlation  rules  that  help  his  staff 


focus  on  the  areas  of  highest  risk. 

“We’ve  found  that  creating  a  rule  and 
having  one  that  reliably  replicates  what 
a  human  can  do  are  two  different  things,” 
Cincera  says.  “You  can  get  any  one  of  these 
systems  and  it  will  generate  a  lot  of  red 
flashing  lights.  But  the  point  is,  I  have  lim¬ 
ited  resources  of  really  smart  people  who 
can  focus  on  a  few  important  events  around 
the  most  significant  areas  of  data  and  risk, 
so  I  have  to  keep  the  steadily  growing  noise 
level  down,  and  the  machine  is  the  only  way 
I  can  do  that.” 

Ease-of-use  features  in  ArcSight  include 
the  interface  itself,  the  sophistication  of  the 
rule  sets  provided,  drop-down  boxes  and 
the  ability  to  construct  expressions  that  are 
English-like  rather  than  complex  formulas, 
Cincera  says.  “You  don’t  want  it  to  take  a 
Ph.D.  to  create  rules  that  replicate  human 
behavior,”  he  adds. 

DO  consider  investigative  capabilities. 

One  of  the  most  favorable  features  of  Qi 
Labs’  QRadar,  Mahoney  says,  is  its  ability 
to  manage  Layer  7  data.  This  provides  him 
with  a  view  into  not  just  network  behavior, 
but  also  user  and  application  behavior.  “It 
identifies  activity  at  a  higher  level  and  gets 
more  specific  on  application  behavior,”  he 
says,  even  capturing  data  in  the  packets  for 
internal  investigations.  “I  can  view  what 
activity  users  have  done  on  the  network— 


the  applications  they’ve  touched,  the  Web 
sites  they’ve  visited.”  He  can  also  look  at 
specific  databases  on  specific  servers  and 
see  who’s  touching  them.  Or  he  can  get  log 
events  to  see  what  applications  are  talking  to 
other  applications  and  what  database  tables 
they’re  hitting.  “That’s  above  and  beyond 
simple  log  collections,”  Mahoney  says. 

For  instance,  if  Server  A  is  talking  to 
Server  B,  and  activity  peaks  on  Sunday  night 
at  10  p.m.,  he  can  drill  in  further  to  see  what 
desktops  are  involved.  “It’s  very  in-depth 
from  an  investigative  perspective,”  he  says. 

DO  weigh  deployment  options.  SIEM 
buyers  have  a  wide  range  of  deployment 
options  from  which  to  choose.  While 
software  is  the  traditional  form  factor, 
Kavanaugh  says,  vendors  have  increas¬ 
ingly  come  out  with  all-in-one  appliances, 
which  do  the  data  collection,  analysis  and 
correlation  and  use  their  own  built-in  data¬ 
bases  to  store  copies  of  logs.  There  are  also 
many  blended  offerings,  in  which  a  server 
performs  the  real-time  analysis,  correlation 
and  monitoring,  and  an  appliance  covers 
log  collection. 

The  decision  depends  on  factors  such 
as  your  business  requirements,  availability 
of  support  personnel,  maintenance  win¬ 
dows,  network  architecture  and  bandwidth 
restrictions.  For  instance,  a  retailer  might 
have  a  thin  pipe  for  transporting  data  back 
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to  corporate  headquarters  and  therefore 
might  want  an  appliance  at  the  branch  loca¬ 
tion  as  well  as  the  ability  to  send  logs  back  to 
a  central  location  during  nonbusiness  hours 
for  compliance  work,  Kavanaugh  says. 

Whiteside  says  storage  considerations 
are  another  factor  when  choosing  a  deploy¬ 
ment  option.  Some  appliances  offer  only 
local  storage,  with  no  ability  to  send  data  to 
a  secondary  database,  he  says.  This  would 
be  a  problem  if  you  collected  log  data  in 
multiple  regions  but  wanted  to  conduct 
queries  remotely.  “If  someone  needed  to 
run  a  query  for  Europe  but  was  in  the  U.S., 
he  wouldn’t  want  the  query  to  go  all  the 
way  to  a  database  sitting  on  an  appliance  in 
Europe,”  he  says.  “It’s  not  efficient.” 

At  the  VNSNY,  Whiteside  uses  a  multi¬ 
tiered  architecture.  A  Symantec  SIEM 
box  collects  network-based  logs  for  the 
firewalls,  routers,  switches  and  intrusion 
detection  system,  and  a  log  management 
system  from  LogLogic  collects  and  reports 
on  application  and  system  logs.  It  forwards 
these  logs  to  the  Symantec  SIEM,  which 
applies  correlation  rules  to  all  the  log  data. 

Mahoney  says  he  is  happy  to  be  using  an 
all-in-one  appliance  for  the  4,500  devices 
on  Liz  Claiborne’s  network  that  send  log 
events.  “I  don’t  want  to  worry  about  driver 
patches  and  disk  space  requirements  and 
database  maintenance,”  he  says.  With  other 
systems,  data  was  stored  in  a  SQL  database, 
but  with  the  appliance,  it’s  built-in.  “It’s  a 
hands-off  approach,”  he  says. 

Pete  Colley,  security  operations  man¬ 
ager  at  CSC  in  the  United  Kingdom,  says 
there  are  a  couple  of  deployment  options 
with  the  SIEM  he  uses,  which  is  RSA  envi¬ 
sion.  Since  a  CSC  customer  had  a  very  large 
distributed  network,  with  4,000  devices  to 
collect  logs  from,  he  selected  a  distributed 
system  that  ran  the  application  and  data¬ 
base  on  a  server,  with  network-attached 
storage.  Data  is  pulled  in  from  six  or  seven 
remote  collectors,  he  says.  “An  all-in-one 
appliance  wouldn’t  do  it,”  Colley  says.  The 
largest  appliance  he  looked  at  was  limited, 
by  license,  to  1,000  end  devices. 

DON'T  forget  the  managed  service  pro¬ 
vider  option.  Historically,  companies  con¬ 
sidered  an  MSP  only  for  SEM  functionality, 
Kavanaugh  says,  choosing  to  implement 
in-house  systems  for  log  collection  and 
management.  Now,  however,  more  MSPs 
are  offering  log  management  capabilities, 


taking  logs  from  the  customer  premises  to 
a  security  operations  center  and  doing  the 
archiving  and  reporting  from  there.  While 
this  would  not  work  for  companies  with  a 
large  volume  of  logs  or  a  wide  diversity  of 
devices  to  collect  from,  it  is  a  valid  option  for 
midsize  and  smaller  firms,  Kavanaugh  says. 

DON'T  overplay  the  real-time  console. 
When  Whiteside  first  started  using  SIEM 
products,  he  felt  the  real-time  console  was 
the  most  important  aspect  of  this  technology. 
However,  he  eventually  realized  that  only 
5%  of  the  team’s  time  was  spent  looking  at 
the  console,  and  the  rest  was  spent  running 
queries.  “Real-time  alerting  is  extremely 
important,  but  the  console  is  a  nice-to- 
have,”  he  says.  “The  importance  of  SIEM  is 
its  back-end  intelligence  and  alerting.” 

A  key  thing  people  miss  with  SIEM  and 
log  management,  Whiteside  says,  is  that  it’s 
all  reactive,  based  on  whatever  the  incident 
is.  “But  you  at  least  have  a  consolidated 
view  of  what  has  happened  from  disparate 
systems,”  he  adds. 

DON'T  overlook  vendor  support.  Ven¬ 
dor  support  was  crucial  to  Mahoney,  who 
emphasizes  that  SIEM  technology  is 
nowhere  near  “set  and  forget.”  SIEM  is 
a  core  product  for  Qi  Labs,  he  says,  com¬ 
pared  with  other  companies  that  offer 
SIEM  products  that  they  got  via  acquisition. 
“When  you  get  on  the  phone  with  some  ven¬ 
dors,  it  can  take  days  to  get  someone  with 
the  expertise  to  fix  your  problem,”  he  says. 
Mahoney  tested  how  long  it  took  for  the 
vendors  on  his  short  list  to  get  back  to  him 
with  a  fix  for  a  problem.  The  vendors  knew 
he  was  conducting  an  evaluation  and  that 
they  were  in  direct  competition  with  other 
companies.  Qi  got  back  to  him  with  solu¬ 
tions  in  two  days,  whereas  another  vendor 
never  got  back  to  him  at  all. 

DO  look  into  storage  capacity.  Another 
consideration  is  how  much  data  the  system 
will  store,  especially  when  regulations  may 
require  data  to  be  online  for  a  particular 
length  of  time.  With  4,500  devices  sending 
log  events,  and  peaks  of  2  trillion  events  to 
evaluate  per  month,  storage  was  a  big  con¬ 
sideration  for  Mahoney.  “We  have  to  retain 
that  data  for  a  year  to  comply  with  PCI/ 
DSS,”  he  says.  Mahoney  says  he  knows 
of  another  CIO  who  found  that  his  SIEM 
system  could  store  only  four  days’  worth  of 
data  online.  The  key,  he  says,  is  compres¬ 
sion.  “I’m  looking  at  a  data  reduction  rate  of 


63,000-to-i,  he  says.  “They  compress  it,  and 
I  can  go  back  and  look  at  every  log  event  I’ve 
received  in  raw  format.” 

Whiteside  says  his  system  can  store  a 
year’s  worth  of  live  data  online,  although 
he  chooses  to  store  just  180  days’  worth. 

DO  look  at  scalability.  Oltsik  empha¬ 
sizes  that  a  main  requirement  today  is  to 
collect  more  data  from  more  devices  more 
quickly.  “Vendors  measure  this  in  events 
per  second,”  which  have  grown  from  thou¬ 
sands  to  hundreds  of  thousands,  he  says. 

DON'T  overlook  hidden  costs.  Cincera 
warns  that  hardware  and  software  accounts 
for  one-half  or  less  of  the  total  cost  of  own¬ 
ership  of  a  SIEM  implementation.  The  rest, 
he  says,  is  the  labor  involved  with  creat¬ 
ing,  building  and  deploying  the  technology. 
“You  can’t  just  put  someone  on  the  console 
and  have  them  whip  up  10  good  correlation 
rules  a  day,”  he  says.  “They  need  to  under¬ 
stand  things  like,  ‘These  events  need  to  be 
treated  in  this  manner,  or  with  this  level  of 
discretion.’  ”  This  requires  the  governance 
function  to  specify  which  events  to  care 
about  and  what  actions  to  take.  “There’s  a 
cost  to  the  organization  based  on  that  func¬ 
tion,”  Cincera  says. 

Another  cost  is  maintenance,  which 
includes  keeping  rules  up  to  date,  group 
management,  permissions,  alerting,  moni¬ 
toring  and  metrics.  “You  need  to  manage 
interfaces  to  upstream  systems,  things  that 
feed  information  to  the  engine,”  Cincera 
says.  “You  need  to  stay  constantly  involved, 
making  sure  connections  stay  in  sync  with 
one  another,  and  that  can  be  a  daunting 
effort.”  The  work  level  grows  dramatically 
based  on  the  number  of  upstream  systems 
you  need  to  feed,  he  warns. 

A  third  cost  is  labor.  “Every  event  you 
choose  not  to  ignore  is  one  on  which  you 
must  act,  even  if  it’s  just  to  say,  ‘noted,’  ” 
Cincera  says.  “And  every  action  has  a  cost.” 
And  fourth  is  decommissioning.  At  some 
point,  Cincera  says,  the  rules,  alerts  and 
actions  you  take  lose  value  and  should  be 
decommissioned. 

Total  cost  of  ownership  is  something  no 
vendor  is  good  at  communicating,  he  adds. 
“They  don’t  want  you  to  think  of  all  those 
costs.”  ■ 


Mary  Brandel  is  a  freelance  writer  based  out¬ 
side  Boston.  Send  feedback  to  Editor  Derek 
Slater  at  .com. 
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COVER  STORY  |  SUPPLY  CHAIN 


We  asked  CSOs  and  experts  to  name  the  developments 
that  are  reshaping  their  supply  chains.  Here  are  the  top  five 
forces  challenging  your  physical  and  digital  partnerships, 
and  strategies  for  coping.  By  Lauren  Gibbons  Paul 


s  any  CSO  knows,  it’s  not 
m  enough  to  mind  your 

own  business.  You 
U  have  to  look  after  your 

•'  I  -  business  partners 
as  well,  across  all  links  that  connect  to  your 
supply  chain— whether  that  chain  is  physi¬ 
cal  or  virtu  al.  And  that  goes  double  in  times 
of  rapid  change  and  high  stress. 

“The  threat  environment  is  constantly 
changing,”  says  Ryan  Brewer,  CISO  for 
the  Centers  for  Medicare  and  Medicaid 
Services.  “Sometimes  it’s  hard  to  put  your 
finger  on  what’s  most  important.” 

Who  would  have  thought  three  years 
ago  that  piracy  on  the  supply  chain  would 
be  such  a  big  concern?  Sometimes  the  big 
worry  is  terrorism,  sometimes  it’s  natural 
disasters,  lately  it’s  malware.  Here  are  the 
top  five  developments  CSOs  say  have  the 
biggest  potential  to  wreak  havoc  on  their 
supply  chains. 


No.  l  Game-Changing  Force: 

‘Black  Swan7  Events 

As  Nassim  Nicholas  Taleb  explained  in  his 
2007  book  of  the  same  name,  the  term  “black 
swan”  refers  to  an  event  that  is  high-impact, 
hard  to  predict  and  rare.  Black  swans  need 
not  be  negative  (as  in  the  case  of  9/11)  and 


can  present  times  of  great  opportunity,  but 
CSOs  rightfully  spend  their  time  worrying 
about  the  former  scenario. 

When  it  comes  to  the  supply  chain,  black 
swan  events  can  include  everything  from 
disastrous  weather  to  global  pandemics  to 
terrorist  attacks.  The  problem  is,  if  you  pre¬ 
pare  for  the  worry  du  jour,  you  may  leave 
yourself  exposed  on  other  fronts.  Case  in 
point:  avian  flu.  Warned  that  a  large-scale 
outbreak  of  Asian  bird  flu  would  put  sup¬ 
ply  chains  at  risk,  global  businesses  braced 
for  the  worst.  Executives  discussed  how 
the  supply  chain  might  be  affected  if  the  flu 
broke  out  in  China.  Their  plans  rested  on 
transporting  and  storing  materials  in  other 
places  around  the  world. 

Then,  early  this  year,  H1N1  flu  broke 
out  in  Mexico  and  spread  quickly  to  unex¬ 
pected  regions  like  Australia.  “Companies 
had  to  immediately  reassess  their  plans 
because  they  were  based  on  specific  sce¬ 
narios,”  says  Adam  Sager,  senior  manager 
of  business  continuity  consulting  at  Con¬ 
trol  Risks,  a  security  consulting  firm  in 
Washington.  This  was  a  major  wake-up  call. 
“Companies  realized  they  needed  to  better 
prepare  for  unexpected  events  and  increase 
their  knowledge  of  how  their  organizations 
could  be  impacted.  If  something  is  emerg¬ 


ing  on  a  global  basis,  they  need  to  act  before 
it  affects  their  supply  chain,”  says  Sager. 

When  a  crisis  hits— no  matter  where 
on  the  globe— you  need  to  be  able  to 
understand  and  assess  the  situation  using 
firsthand  country-  and  location-specific 
information,  says  Sager.  And  you  need 
bidirectional  communication  between  cri¬ 
sis  managers  and  the  locale  where  the  event 
is  occurring.  Sager  notes  that  companies 
are  discovering  gaps  between  their  crisis 
plans  and  their  operations. 

“They  had  security  management  and 
crisis  management  plans  in  place,  but  the 
missing  link  was  integrating  them  with 
the  business  so  people  around  the  world 
could  understand  management’s  position 
regarding  critical  things  such  as  uptime, 
issue  resolution  and  who’s  responsible,”  he 
says.  This  type  of  information  is  often  not 
conveyed  to  the  field  in  advance,  a  crucial 
error.  Management  needs  to  empower  local 
decision-makers  in  advance  to  take  action 
quickly  to  mitigate  damage  if  certain  condi¬ 
tions  are  met. 

The  plans  have  to  address  not  just  key 
supply  chain  nodes  and  specific  scenarios 
that  could  occur,  but  also  emerging  security 
vulnerabilities.  “That  is  a  different  mind¬ 
set  and  way  of  planning,”  Sager  says.  “The 
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security  department  has  to  come  together 
with  the  operational/financial  side  of  the 
business,”  looking  at  all  aspects  of  the  sup¬ 
ply  chain,  including  where  the  different 
components  are  located  and  alternative 
sourcing  arrangements.  Sager  puts  his 
clients  through  tabletop  testing,  in  which 
executives  sit  in  a  conference  room  and  go 
through  a  scenario  point  by  point  with  the 
key  decision-makers,  reviewing  how  they 
would  respond. 

Marc  Siegel,  commissioner  for  the  ASIS 
International  Global  Standards  Initiative,  is 
leading  the  charge  to  develop  an  ISO  stan¬ 
dard  for  supply  chain  resilience.  ASIS  has 
already  published  SPC.i,  its  first  organiza¬ 
tional  resilience  standard,  which  it  expects 
will  be  ready  by  the  end  of  the  year.  “We 
think  standards  are  the  answer  for  dealing 
with  [black  swans],”  Siegel  says.  “Com¬ 
panies  have  to  develop  a  comprehensive 
[supply  chain  resilience]  strategy  because 
their  resources  are  limited.  This  allows 
you  to  look  at  the  full  picture,  rather  than 
just  separate  out  the  different  things.”  For 
example,  a  strategy  to  prevent  terrorism 
might  work  against  piracy  or  help  during 
an  earthquake  as  well. 

Organizations  need  to  approach  risk 
from  a  holistic  standpoint,  Siegel  adds. 
“The  problem  with  the  risk  du  jour  is  that 
the  likelihood  of  it  happening  varies  so 
greatly  between  organizations  that  it  can 
divert  your  attention  away  from  doing  a 
comprehensive  risk  assessment.”  In  short, 
it  can  make  you  take  your  eye  off  the  ball. 

No.  2  Game-Changing  Forces 

The  Rise  of  Malware 

Information  security  matters  also  weigh  on 
CSOs’  minds,  though  they  are  not  as  vis¬ 
ibly  related  to  the  supply  chain  as  physical 
security  is.  An  organization  (and  therefore 
its  supply  chain)  can  be  brought  low  by 
an  attack  on  its  information  network  as 
surely  as  it  can  be  hurt  by  an  attack  on  its 
cargo.  Many  CSOs  say  they  are  worried 
about  botnets;  two  of  the  most  pressing 
threats  related  to  botnets  are  spam/phish¬ 
ing  attacks  on  employees  and  the  possibil¬ 
ity  of  a  resurgence  in  the  denial-of-service 
(DoS)  attacks  that  first  appeared  10  or  more 
years  ago. 

Ed  Amoroso,  CISO  of  AT&T,  blames 
rampant  technological  complexity  for  the 
rise  in  malware.  “The  primary  root  cause 


for  almost  everything  we  deal  with— 
commercial  customers  and  everything— is 
complexity.  The  computers  and  networks 
that  people  set  up  and  use  have  become  way 
too  complicated,”  says  Amoroso.  Since  no 
one  knows  exactly  where  all  the  connec¬ 
tion  points  between  systems  lie,  it  is  easy 
for  wrongdoers  to  exploit  them.  “I’ve  read 
that  95  percent  of  the  spam  that  is  floating 
around  is  botnet-originated,”  he  adds.  “It’s 
all  about  complexity— people  not  knowing 
how  to  stop  it  on  an  individual,  corporate 
and  information  security  level.” 

Like  Amoroso,  Joonho  Lee  worries  a  lot 
about  the  advent  of  integrated  DoS  attacks. 
“DoS  used  to  be  about  large-volume  traffic 
hitting  your  network,”  says  Lee,  an  officer 
for  the  National  Incident  Response  Team 
and  assistant  vice  president  at  the  Federal 
Reserve  Bank  of  New  York.  “Now,  there  are 
so  many  different  types  of  attacks.  It’s  not 
just  flooding  you  with  traffic  anymore.  It’s 
flooding  you  with  traffic  that  you  can’t  block. 

“We  have  all  the  DoS  protections,  but  I’m 
very  skeptical  about  them  always  working. 
If  you  get  hit  by  a  40-gig-per-second  pipe, 
it’s  going  to  knock  you  out,  either  your 
network  or  your  provider,”  says  Lee.  “The 
hackers  are  leveraging  hundreds  of  thou¬ 
sands  of  machines.  DoS  is  definitely  back 
on  the  horizon.” 

Rena  Mears,  a  partner  in  security  and 
privacy  services  for  Deloitte  &  Touche, 
believes  the  malware  supply  chain  is  itself 
approaching  maturity.  “You  go  back  a 
decade,  and  it  was  a  few  people  doing  men¬ 
tal  gymnastics.  Then  we  moved  to  an  era 
where  it  was  monetized  [via  phishing  and 
spam].  The  next  step  was  the  massive  quick 
hit— equivalent  to  a  bank  robbery.  Now  we 
are  seeing  something  much  more  insidious,” 
says  Mears.  Malware  and  its  perpetrators 
are  growing  increasingly  sophisticated. 

Rather  than  carrying  out  the  massive 
hit-and-run  DoS  attacks  of  the  past,  today’s 
malware  seeks  to  sustain  itself  at  a  relatively 
low  level,  similar  to  the  way  a  parasite  sur¬ 
vives  in  nature.  “This  is  more  of  a  constant  - 
stream-of-revenue  strategy.  The  malware 
agent  can  live  below  the  organization’s  pain 
threshold,  but  it  siphons  off  information  to 
compromise  intellectual  property  or  scoop 
up  credit  card  information,”  Mears  says. 

Lee,  for  one,  does  not  believe  that  net¬ 
work  service  providers  can  adequately  pro¬ 
tect  against  the  threats  posed  by  new-breed 


malware.  Amoroso  of  AT&T  acknowledges 
that  the  situation  is  difficult,  saying  only 
that,  like  other  providers,  AT&T  has  devel¬ 
oped  multiple  strategies  for  handling  new- 
breed  DoS  attacks.  He  believes  that  the 
increasing  popularity  of  thin  clients  will 
help  thwart  these  attacks  because  they  are 
simpler,  with  fewer  moving  parts  to  attack. 

No.  3  Game-Changing  Force; 

Economic  Malaise 

It  is  axiomatic  that  crime  increases  as 
the  economy  deteriorates.  A  number  of 
threats— to  physical  security  as  well  as 
information  security— have  become  more 
pressing  in  the  past  year  or  so.  Many  CSOs 
expect  the  associated  threat  pool  to  continue 
to  widen.  Although  the  economy  is  forecast 
to  improve  slowly  in  the  coming  year  or  two, 
many  experts  expect  the  reshaped  land¬ 
scape  will  not  necessarily  signal  a  return  to 
prosperity  for  all,  or  even  most,  of  society. 
Some  people  will  be  desperate  and  there¬ 
fore  prone  to  desperate  actions. 

As  the  economy  continues  to  falter, 
more  and  more  people  are  losing  their  jobs, 
which  often  means  losing  their  health  insur¬ 
ance  as  well.  Ray  Biondo,  CISO  at  Health 
Care  Services  (which  runs  four  Blue  Cross 
Blue  Shield  plans  in  Illinois),  fears  ongoing 
economic  problems  will  cause  wide-scale 
employee  layoffs,  which  the  company  has 
so  far  managed  to  avoid.  He  fears  the  com¬ 
ing  of  a  national  healthcare  plan  could  have 
the  same  effect.  Biondo  finds  himself  wor¬ 
rying  more  about  insider  threats  to  infor¬ 
mation  and  physical  safety  than  he  did  a 
few  years  ago. 

“I  worry  about  internal  physical  threats 
and  threats  to  our  data.  People  become 
very  anxious,  and  data  leakage  becomes 
an  issue,”  says  Biondo.  He  believes  he  has 
taken  all  available  measures  to  protect 
information  and  physical  security,  but  he 
remains  uneasy. 

Chris  Falkenberg  foresees  increased 
threats  to  personal  security,  including  the 
kidnapping  of  business  executives  abroad 
and  attacks  on  high-net -worth  individuals. 
“CSOs  will  have  to  deal  with  these  things 
because  they  have  to  protect  their  execu¬ 
tives,”  says  Falkenberg,  president  of  secu¬ 
rity  services  firm  Insite  Security.  He  also 
worries  that  personal  kidnapping  could 
become  a  problem  in  the  United  States, 
though  the  country  does  not  have  the  wide- 
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Outsourcing: 
Easy  Answer? 


With  so  many  different  types  of  emerging  threats 
to  worry  about,  it's  no  surprise  that  many  CSOs 
use  outsourcing  as  a  way  to  cope.  Security 
budgets  have  been  cut  along  with  everything 
else,  but  threats  are  increasing.  Sure,  security  staffs 
have  had  to  do  more  with  less,  just  like  their  colleagues, 
but  at  some  point  the  coverage  will  start  to  break  down. 
A  security  service  provider  with  expertise  in  a  particular 
area  should  be  able  to  mitigate  (or  help  you  mitigate) 
security  threats  much  more  cheaply  and  easily  than  you 
can  in-house,  especially  now. 

“You  can’t  possibly  have  one  person  at  10  a.m. 
talking  about  a  terrorist  threat  in  Asia  and  then  at  noon 
talking  about  the  threat  from  an  aggrieved  husband,” 
says  Chris  Falkenberg,  president  of  Insite  Security. 

On  the  other  hand,  it’s  not  like  outsourcing  grants  you 
a  sleep-through-the-night-worry-free  card.  “We  have  to 
look  at  outsourcing  for  some  of  the  things  we  do,”  says 
Ray  Biondo,  CISO  at  Health  Care  Services.  “I  don’t  have 
that  much  confidence  in  the  vendors.  And  the  cost  goes 
up  so  high,  it's  almost  unaffordable.”  -L.G.P. 


spread  governmental  corruption 
that  typically  allows  such  activities 
to  take  root.  He  believes  most  CSOs 
do  not  have  the  internal  expertise  to 
handle  this  type  of  threat. 

Lee,  of  the  Federal  Reserve  Bank, 
believes  emerging  threats  such  as 
malware  and  attacks  by  insiders 
require  stronger  communication 
between  the  information  security 
and  physical  security  groups,  as 
well  as  any  other  departments  that 
get  involved  when  there  is  a  problem, 
such  as  legal.  “There  needs  to  be 
better  teamwork.  It’s  not  just  train¬ 
ing,”  he  says.  “Even  if  these  groups 
do  speak  to  each  other,  they  usually 
would  just  offload  the  case  onto  the 
other  side.  Everyone  involved  needs 
to  know  the  logical  next  steps.  There 
needs  to  be  recognition  of  joint  own¬ 
ership  of  the  problem.” 

No.  4  Game-tfianging 

Force:  Data  Explosion 

Data  is  now  so  ubiquitous  and  so 
pervasive  that  people  lose  sight  of 
it.  Even  many  manufacturers  today 
are  so  massively  involved  in  data, 
they  never  think  of  themselves  as 
anything  other  than  purveyors  and 
users  of  information.  The  level  of 
integration  companies  have  with 
their  processes  and  business  part¬ 
ners  is  something  they  could  not 
have  contemplated  just  five  years  ago, 
says  Mears.  The  explosion  in  both 
data  itself  and  the  practice  of  sharing  data 
outside  organizational  boundaries  presents 
a  number  of  different  kinds  of  risk. 

Companies  of  all  types  and  sizes  share 
infinite  amounts  of  information  with 
business  partners.  This  data  is  constantly 
updated  and  flows  back  and  forth.  “This  is 
a  two-way  chain,”  says  Mears.  “That  means 
you  are  replicating  data.  We  used  to  say 
‘defend  the  perimeter.’  Many  companies 
don’t  even  have  a  perimeter  anymore.” 

Data  and  information  are  assets,  but 
executives  don’t  know  what  they  have, 
where  it  all  is  and  who  is  (and  isn’t)  pro¬ 
tecting  it.  “It  is  very  difficult  to  secure  data 
when  you  don’t  know  exactly  what  it  is 
and  who  you’re  sharing  it  with  and  no  one 
is  on  the  hook  for  those  decisions,”  says 
Mears.  This  reality  necessitates  a  risk- 


based  approach  to  data  protection.  “You 
cannot  protect  all  data  anymore.  Not  all 
data  assets  are  worth  the  same  amount. 
You  have  to  be  sure  there  is  a  return  on 
that  data  asset,  just  as  you  would  with  any 
other  asset.  You  should  provide  security 
commensurate  with  the  value  of  the  infor¬ 
mation  asset,”  she  says. 

Deloitte  is  advising  its  clients  to  develop 
a  more  focused  response  to  information 
security.  In  a  highly  integrated  global  envi¬ 
ronment,  companies  understand  that  their 
core  intellectual  property  is  at  risk,  but  they 
cannot  afford  to  protect  the  daily  flotsam 
that  is  part  of  business  as  usual.  “Data  pro¬ 
tection  is  now  a  C-suite  and  a  board-level 
issue.  Executives  are  beginning  to  think 
about  how  to  maximize  the  return  on  their 
data  assets,”  says  Mears. 


No.  5  Game-Changing 
Force:  Regulatory  Burdens 

Since  Sept,  ll,  2001,  and  the  passage 
of  the  Sarbanes-Oxley  Act  in  2002, 
regulatory  activity  has  been  high 
in  virtually  every  industry.  This  is 
certainly  true  in  the  food/beverage/ 
agribusiness  industry,  due  to  the 
obvious  importance  of  maintain¬ 
ing  a  food  supply  that’s  safe  from 
contamination,  whether  malicious 
or  innocent.  H.R.  2749,  the  Food 
Safety  Enhancement  Act  of  2009, 
just  passed.  And  Walmart  made 
news  in  2008  when  it  required  all  of 
its  food  suppliers  to  comply  with  the 
stringent  GFSI  (Global  Food  Safety 
Initiative)  standard.  According  to 
Rick  Shanks,  this  standard  above 
all  mandates  traceability  within  the 
food  supply  chain. 

“Many  food  processors  are  not 
prepared  to  deal  with  the  level  of 
traceability  required  by  the  regula¬ 
tion,”  says  Shanks,  national  manag¬ 
ing  director  of  Aon  Risk  Services,  the 
risk  advisory  division  of  Aon  Corp. 
Traceability  requires  a  high  level  of 
supply  chain  visibility,  which  has  not 
always  been  available.  That  makes  it 
more  difficult  to  mitigate  a  food  con¬ 
tamination  incident  such  as  salmo¬ 
nella  in  peanut  butter  or  listeria  on 
deli  slicers.  “When  you  have  a  food 
event,  you  have  to  be  able  to  trace  it 
back  to  its  source,”  says  Shanks.  Aon 
recently  announced  a  service  offer¬ 
ing  that  helps  food  processors  and  produc¬ 
ers  achieve  the  necessary  visibility. 

A  related  force  reshaping  supply  chains 
in  the  food  and  beverage  industry  is  con¬ 
sumers’  increasing  demand  for  visibility 
into  the  provenance  of  their  food.  Produce 
and  seafood  have  been  labeled  to  indicate 
origin  for  a  few  years  now.  The  current 
‘locavore”  trend— which  emphasizes  eat¬ 
ing  locally  grown  food— stems  in  part  from 
consumers’  beliefs  that  food  grown  and 
consumed  nearby  is  less  likely  to  become 
contaminated.  Here,  supply  chains  are 
shedding  links  to  help  allay  consumer 
fears.  ■ 


Lauren  Gibbons  Paul  is  a  freelance  writer  based 
in  Boston.  Send  feedback  to  Editor  Derek  Slater 
at  dslater@cxo.com. 
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A  SELF-PROCLAIMED  GEEK  from  the 
age  of  14,  Andre  DiMino  had  always  been 
interested  in  computers  and  networking. 
But  it  wasn’t  until  he  entered  his  profes¬ 
sional  life  many  years  later  that  he  became 
interested  in  the  security  side  of  that  world. 

“I  was  a  system  administrator  for  a  fairly 
large  network  that  experienced  a  signifi¬ 
cant  hacking  incident  one  weekend,”  says 
DiMino.  “I  became  consumed  with  learn¬ 
ing  about  the  methods  of  attack,  who  might 
be  involved  and  where  it  came  from.  Right 
then,  I  became  passionate  about  all  aspects 
of  security,  as  well  as  the  various  groups 
that  carried  out  the  attacks.” 

And  today,  in  his  forties,  DiMino  says 
his  interest  in  the  dark  side  of  security  con¬ 
sumes  much  of  his  free  time.  By  day,  DiMino 
is  a  professional  digital  forensic  analyst. 
But  by  night,  he  serves  as  director  of  an 
organization  known  as  The  Shadowserver 


Foundation,  a  group  of  volunteers  dedi¬ 
cated  to  sleuthing  out  cybercriminals  and 
shutting  them  down. 

DiMino  and  a  cofounder,  whose  passion 
for  stopping  cybercrime  came  after  he  dis¬ 
covered  that  a  deceased  family  member’s 
computer  was  unknowingly  being  used 
as  part  of  a  bot  network,  launched  Shad¬ 
owserver  in  2004  with  the  initial  mission  of 
tracking  malicious  activity  online  and  find¬ 
ing  some  way  to  make  it  stop. 

“We  just  kind  of  started  chasing  mal¬ 
ware,  chasing  bots,”  says  DiMino.  “Mainly 
we  were  interested  in  understanding  what 
malware  did,  where  it  went,  how  it  was 
developed.” 

A  good  deal  of  their  time  was  spent 
tracking  malicious  botnets— networks  of 
compromised  computers  running  software 
that  is  installed  through  viruses  or  worms, 
without  an  owner’s  knowledge,  and  then 
controlled  remotely  by  a  “bot  master.”  They 
are  used  for  various  criminal  acts,  including 
sending  out  spam,  phishing,  committing 
click  fraud  and  even  launching  distributed 
denial-of-service  attacks,  which  inundate 
a  server  with  requests,  rendering  it  use¬ 
less.  Windows  PCs  are  the  typical  target, 
although  a  Mac  botnet  was  reported  earlier 
this  year. 

Just  five  years  ago,  says  DiMino,  hunt¬ 
ing  botnets  was  a  much  different  game.  The 
botnets  were  fairly  straightforward,  he  says, 
and  the  primary  method  of  communication 
was  IRC  (Internet  Relay  Chat).  DiMino  and 
other  volunteers  were  able  to  act  like  crimi¬ 
nals  by  joining  a  botnet  and  watching  its 
traffic  to  get  an  understanding  of  how  it  was 
architected  and  its  particular  function.  They 
found  that  their  efforts  were  worthwhile  as 
they  began  contacting  network  hosts,  alert¬ 
ing  them  that  their  networks  were  support¬ 
ing  the  botnets  and  seeing  those  botnets  get 
shut  down. 

“Things  really  started  to  snowball,”  says 
DiMino.  “We  decided  it  should  be  a  service 
to  the  community  to  improve  the  safety 
of  the  Internet.  And  we  started  to  build  a 
cross-section  of  security  experts  to  help 
out.” 

Shadowserver  now  has  10  of  what 
DiMino  calls  “carefully  vetted”  volunteers 
in  several  locations  around  the  world. 
These  cybercrime  busters  need  to  be  of  the 
utmost  trustworthiness,  he  says,  because 
the  data  that  Shadowserver  volunteers  deal 


with  is  highly  sensitive— and  it’s  exactly 
what  the  bad  guys  want. 

A  CAT-AND- 
MOUSE  GAME 

DiMino  details  a  four-step  process  that 
Shadowerver  employs  to  stop  botnets.  The 
group  first  detects  malware  by  setting  up 
“honeypots,”  computers  that  can  easily  be 
infected,  and  they  use  many  different  types 
of  technology. 

“In  botnet /malware  network  analysis, 
we  like  to  do  both  dynamic  and  static  analy¬ 
sis,”  says  DiMino.  “Dynamically,  we  want 
to  study  full-content  network  traffic  to  help 
determine  exactly  what  is  happening  on  the 
wire.  So  open-source  tools  such  as  Wire- 
shark,  Chaosreader,  Argus,  etc.,  are  helpful. 
We  also  do  testing  as  to  how  intrusion  detec¬ 
tion  systems  may  detect  malicious  network 
activity,  so  we  use  Snort  as  well.  Then  there 
are  the  various  open-source  honeypots  that 
we  use  as  part  of  our  malware  collection. 
Any  organization  interested  in  malware 
detection/collection  should  run  some  sort 
of  server- side  honeypot  at  different  points 
on  their  network,  including  dark  space.” 
Tools  like  these  can  give  organizations  a 
very  good  look  at  potentially  malicious  traf¬ 
fic  directed  at  them. 

Honeypot  sensors  capture  spam  and 
malware  for  analysis.  Volunteers  want 
to  know  about  its  network  touch  points: 
Where  does  the  malware  go?  Whom  does  it 
attempt  to  contact?  These  are  the  first  steps 
to  finding  a  botnet.  Unfortunately,  it  is  not 
simple  and  requires  a  delicate  balance  that 
allows  the  botnet  hunter  to  obtain  informa¬ 
tion  without  contributing  to  the  problem. 

“Bot  masters  now  have  ways  to  detect 
these  drones  and  kick  them  off,”  says 
DiMino.  “Plus,  we  don’t  want  to  participate 
in  an  attack,  so  we  don’t  want  our  monitor¬ 
ing  system  to  be  used  to  do  a  spam  run  or 
anything  like  that.” 

All  information  is  compiled  into  reports 
Shadowserver  makes  available  to  network 
operators,  as  well  as  to  law  enforcement 
officials  and  other  security-centric  and 
defense  organizations  that  might  need  the 
data  for  research  or  other  purposes.  Shad¬ 
owserver  will  also  contact  network  opera¬ 
tors  to  let  them  know  if  they  are  hosting  a 
botnet.  The  only  request  Shadowserver 
makes  in  return  for  the  free  data,  DiMino 
says,  is  that  the  host  take  action  and  take 


Photo  by  Veer 


December  2009/January  2010  www.csoonline.com  27 


NETWORK  SECURITY 


WHAT’S  IN  A  NAME? 


A  heavyweight  botnet  known  as  Festi  has  been  tracked  by 
researchers  at  Message  Labs  Intelligence  just  since  August, 
but  it’s  already  responsible  for  approximately  5  percent 
of  all  global  spam  (around  2.5  billion  spam  e-mails 
per  day),  according  to  Paul  Wood,  a  senior  analyst  at  Mes- 
sageLabs.  When  a  botnet  like  Festi  pops  onto  the  radar 
screens  of  security  researchers,  it  not  only  raises  questions 
about  what  it's  doing  and  how  much  damage  it  can  cause; 
there’s  also  the  issue  of  what  to  call  it. 

For  all  of  botnets’  prevalence  and  power  online,  when  it  comes 
to  naming  them,  there  is  no  real  system  in  place.  A  common  practice  so 
far  has  been  to  name  botnets  after  the  malware  associated  with  them,  but 
this  method  has  some  drawbacks. 

In  Festi’s  case,  “the  name  came  from  Microsoft;  they  identified  the  malware 
behind  it  and  gave  it  the  catchiest  name,”  says  Wood.  “Usually,  a  number  of  com¬ 
panies  will  identify  the  botnet  at  the  same  time  and  give  it  a  name  based  on  the 
botnet’s  characteristics.  Its  original  name  was  backdoor.winnt/festi.a  or  backdoor, 
trojan.  ‘Backdoor’  would  be  too  generic.  Usually  the  name  and  convention  comes 
from  wording  found  within  the  actual  software  itself." 

Because  the  industry  lacks  a  uniform  way  to  title  botnets,  sometimes  there’s  a 
long  list  of  names  for  the  same  botnet  that  are  used  by  different  antivirus  vendors. 
As  it  stands  now,  the  infamous  Conficker  is  also  known  as  Downup,  Downadup  and 
Kido.  The  Srizbi  botnet  is  also  called  Cbeplay  and  Exchanger. 

The  problem,  obviously,  is  that  name  confusion  makes  defense  and  takedowns 
that  much  harder. 

Gunter  Ollmann,  vice  president  of  research  at  security  firm  Damballa,  believes 
it’s  time  for  vendors  to  agree  on  a  systematic  approach  to  naming  botnets.  Because 
botnets  morph  and  change  so  frequently,  he  says,  they  rarely  continue  to  have  a 
meaningful  association  with  the  original  malware  sample  that  prompted  research¬ 
ers  to  choose  a  particular  name  in  the  first  place. 

Damballa  is  now  using  a  botnet  naming  system,  with  the  agreement  of  custom¬ 
ers,  that  favors  a  two-part  name  and  works  much  like  the  hurricane  naming  system 
used  by  the  National  Weather  Service.  The  first  part  of  the  name  comes  from  a  list 
of  agreed-upon  names.  Once  a  botnet  is  identified,  the  name  at  the  top  is  forever 
associated  with  that  botnet  and  is  crossed  off  the  list.  The  second  part  of  the  name 
tracks  the  most  common  piece  of  malware  that  is  currently  associated  with  the 
botnet.  -J.G. 


down  the  botnet. 

It  can  be  a  thankless  job:  Although  a 
well-intentioned  network  operator  may 
disable  a  botnet,  the  machines  in  the  net¬ 
work  remain  infected  and  criminals  usu¬ 
ally  bring  them  “back  to  work,”  so  to  speak, 
very  quickly.  For  example,  after  Web-host¬ 
ing  company  McColo,  which  hosted  several 
massive  spam- sending  botnets,  was  shut 
down  late  last  year,  spam  levels  declined  by 
65  percent  but  then  returned  to  previous 
levels  within  weeks. 

“It  can  most  definitely  get  frustrating 
and  discouraging  at  times  to  see  the  resil¬ 
iency  of  some  of  the  botnets,”  says  DiMino. 
“However,  we’re  encouraged  by  the  increas¬ 
ing  interest  and  cooperation  by  law  enforce¬ 
ment,  various  security  organizations,  and 
even  international  CERT  groups  that  are 
able  to  track  movement  and  continue  to 
make  an  impact.” 

THE  MIND  OF  A  HUNTER 

What  kind  of  a  person  gets  into  this  line  of 
work,  essentially  a  career  in  hunting  mal¬ 
ware  and  botnets?  A  person  with  extreme 
patience  who  not  only  has  the  passion, 
but  the  time,  to  do  it,  according  to  DiMino. 
Shadowserver  volunteers  often  spend  in 
excess  of  12  hours  of  their  own  free  time 
each  day  tracking  malicious  activity. 

DiMino,  who  has  a  degree  in  electrical 
engineering,  would  not  have  guessed  that 
his  career  would  head  in  the  direction  it  has. 
“When  I  was  in  school,  I  never  thought  that 
I’d  be  doing  this  kind  of  effort  to  the  extent 
that  I  am,”  he  says. 

Steve  Santorelli,  on  the  other  hand, 
had  seen  his  future  in  IT  security  investi¬ 
gations  coming  from  the  beginning  of  his 
career.  The  U.K.  native  originally  got  into 
law  enforcement  with  Scotland  Yard  with 
the  intent  of  working  in  computer  investi¬ 
gations.  He  eventually  moved  on  to  similar 
work  at  Microsoft  before  taking  on  his  cur¬ 
rent  role  as  director  of  global  outreach  with 
the  nonprofit  organization  Team  Cymru,  a 
group  founded  a  decade  ago  by  four  people 
who  Santorelli  says  were  motivated  simply 
by  a  drive  to  understand  the  who  and  the 
why  of  online  criminality. 

“There  was  at  that  time  an  explosion, 
almost  this  perfect  storm  of  organized 
crime  that  started  moving  into  the  cyber¬ 
arena  as  the  banks  started  to  come  online 
while  at  the  same  time  the  computer  mali¬ 


cious  hackers  started  to  realize  there  was 
money  to  be  made,”  says  Santorelli. 

Team  Cymru  has  35  members  around 
the  globe  investigating  malicious  online 
activity  and  working  with  law  enforcement 
and  others  to  stop  it.  “It  is  a  modern-day 
game  of  chess,”  with  the  two  opponents 
always  striving  to  outdo  each  other,  says 
Santorelli. 

Peer-to-peer  botnets,  like  those  known 
as  Storm  and  Conficker,  have  brought  the 
competition  to  a  new  level,  he  says.  “They 
are  deeply  disturbing.  The  only  way  you 
can  really  take  down  a  peer-to-peer- 


based  botnet  is  to  kick  down  the  door  and 
arrest  the  guy  who  is  behind  it,”  Santorelli 
explains.  “Essentially,  the  miscreants  have 
examined  the  way  the  community  con¬ 
ducts  investigations  and  have  evolved  to 
circumvent  countermeasures  that  we  have 
put  in  place. 

“These  are  very  sophisticated  botnets,” 
he  continues.  “Even  if  you  could  hack  into 
[the]  botnet  infrastructure,  you  are  not 
allowed  to  issue  the  uninstall  command. 
Most  have  a  simple  command  that  allows 
you  to  uninstall  [it].  But  you  can’t  do  that, 
because  you  are  making  unauthorized 
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modifications  to  an  affected  machine  in  a 
jurisdiction  no  judge  is  going  to  give  you 
permission  to  do.  You  can’t  get  a  Texas 
judge,  for  instance,  to  allow  you  to  make 
modifications  to  a  machine  in  Tokyo. 
Technically,  even  if  you  could,  it  would  be 
against  the  law.” 

FROM  THE  SHADOWS 
TO  THE  LABS 

The  work  of  botnet  hunting  is  done  not  only 
by  volunteer  and  nonprofit  organizations 
like  Shadowserver,  but  by  research  units 
in  many  of  the  world’s  largest  security  ven¬ 
dors,  like  Symantec.  Vincent  Weafer,  vice 
president  of  Symantec’s  security  response 
division,  says  his  team  is  busy  hunting  mali¬ 
cious  activity  for  actionable  intelligence  that 
can  be  baked  into  future  security  products. 
He  also  mentions  a  constant  and  evolving 
threat  landscape  where  the  criminals  adapt 
their  strategies  almost  immediately  after 
security  manages  to  catch  up. 

“We  deliver  10,000  new  virus  signatures 
a  day,”  notes  Weafer. 

It  is  one  profession  where  time  and 
experience  don’t  really  make  the  job  any 
easier,  Weafer  says.  As  botnets  and  the 
criminals  who  master  them  get  stealthier 
and  more  prevalent,  infections  continue 
to  climb.  In  fact,  Symantec  saw  a  31  per¬ 
cent  increase  in  the  number  of  bot-infected 
machines  from  2007  to  2008— an  average  of 
75,158  infected  computers  per  day. 

“A  few  years  ago,  we  used  to  talk  about 
going  down  the  dark  alleys  of  the  Internet, 
at  pom  sites  and  various  things  like  that,” 
says  Weafer.  “But  these  days  most  attack¬ 
ers  cast  their  net  quite  differently.  They 
find  legitimate  websites  with  weak  secu¬ 
rity  and  put  in  exploits  on  the  sites  with 
the  notion  that  if  enough  people  visit  those 
sites,  they  are  going  to  get  those  exploits  on 
machines.” 

That  means  just  about  anyone  is  at  risk 
of  infection  now.  And  having  your  computer 
patched  and  up-to-date  no  longer  guaran¬ 
tees  immunity.  Weafer  and  the  others  we 
spoke  with  noted  that  these  days,  even  if 
the  actual  malware  is  not  sitting  on  the  site 
you  visit,  all  the  criminals  need  you  to  do  is 
run  a  script  and  you  can  be  infected. 

“A  lot  of  these  sites  have  little  control  over 
adverts  now,”  notes  Santorelli.  “We’ve  seen 
a  number  of  cases  recently  where  people 
have  gone  to  a  legitimate  website  and  there 


is  an  advert  up  there  hosting  some  kind  of 
malicious  code.” 

One  popular  tactic  employed  lately, 
even  on  legitimate  sites,  is  offering  rogue 
antivirus  software.  This  technique  relies 
on  social  engineering  to  trick  a  user  into 
downloading  what  they  think  is  secu¬ 
rity  software  that  will  scan  for  or  remove 
malware.  Instead,  when  the  user  grants 
permission  for  the  download,  his  machine 
becomes  infected. 

“A  machine  that  has  been  infected 
often  doesn’t  have  one  piece  of  malware,  it 
has  several  pieces  of  malware,”  explains 
Weafer.  “And  what  it  does  next  is  phone 
home.  It  communicates  back  to  the  master 
to  let  them  know  ‘I’m  online.’  ” 

At  that  point,  the  infected  computer  is 
part  of  the  botnet,  one  of  many  computers 
there  to  do  the  bidding  of  the  master  con¬ 
troller,  and  serving  in  some  sense  as  a  soft¬ 
ware  as  a  service  for  criminals,  who  rent 
them  out  from  the  bot  master  for  various 
schemes,  like  pharmaceutical  scams. 

“We  often  call  it  botnet  as  a  service,” 
says  Weafer.  “And  there  is  quality  of  ser¬ 
vice  and  bandwidth  to  consider.  These  are 
all  the  things  a  botnet  master  is  looking  for, 
because  in  turn  he  will  advertise  that  out.” 

WORK  THAT  BRINGS 
MANY  WORRIES 

To  hear  about  some  of  the  things  these  secu¬ 
rity  investigators  have  seen  in  their  line  of 
work  is  to  hear  tales  of  ominously  growing 
infected  networks  with  implications  that 
have  yet  to  be  seen.  And  it  is  scary  stuff. 
Both  DiMino  and  Santorelli  note  the  rise 
of  the  now  well-known  worm  Conficker 
as  one  of  the  most  troubling  moments  in 
recent  IT  security  history. 

“It  is  one  of  the  more  disturbing  peer- 
to-peer  botnets  because  it  is  very  big,  and  it 
became  a  media  sensation,”  says  Santorelli. 
“But  more  disturbing  than  anything  else 
about  it  is  we  haven’t  actually  seen  what 
it  is  going  to  be  used  for  yet.  Conficker  has 
infected,  by  some  estimates,  millions  of 
machines  around  the  Internet,  but  it  isn’t 
actually  doing  anything  yet.  A  lot  of  people 
are  very  concerned  about  what  it’s  for.” 

“Having  been  used  to  enumerating 
botnet  drones  in  the  thousands,  tens  or 
hundredsofthousands,seeingamultimillion- 
node  botnet  rapidly  propagate  was  quite 
alarming,”  adds  DiMino.  “We  were  initially 


worried  at  the  infection  rate  and  extensive 
propagation,  but  then  considering  how 
such  a  botnet  could  potentially  be  used  was 
especially  worrisome.” 

MEASURING  SUCCESS 

In  a  world  where  investigations  can  take 
months  or  years  and  the  rewards  are  few, 
how  does  one  measure  success  when  it 
comes  to  hunting  botnets?  For  guys  like 
Weafer,  the  work  has  the  obvious  direct 
impact  of  enhancing  products  and  helping 
customers.  But  for  Santorelli  and  DiMino, 
the  payoff  is  more  personal. 

“Personally,  I  love  that  feeling  you  have 
when  you’ve  spotted  a  mistake  a  criminal 
has  made,”  says  Santorelli.  “So  much  about 
IT  security  investigation  is  about  turning 
over  10,000  little  rocks,  looking  to  see  what 
you  can  find  underneath.  When  you  spot 
a  mistake  a  criminal  has  made,  then  as  a 
group  you  realize:  ‘I’ve  got  ya.’  ” 

DiMino  points  to  the  formation  of  the 
Conficker  Working  Group,  a  volunteer 
assembly  of  security  industry  profession¬ 
als  who  came  together  earlier  this  year  to 
try  to  contain  the  Conficker  worm,  as  one 
of  the  bigger  rewards  for  him,  and  a  good 
example  of  the  progress  that  can  be  made 
when  people  work  together. 

Seeing  several  varied  organizations 
with  different  strengths  and  goals  quickly 
band  together  and  plan  a  course  of  action 
was  amazing,  he  notes.  The  CWG  grew  rap¬ 
idly  and  soon  involved  some  of  the  world’s 
best  people  and  organizations  within  infor¬ 
mation  security. 

“I  think  that  was  a  sign  of  things  to  come 
in  terms  of  how  groups  can  work  together 
when  there  is  a  controlled  mission  in  mind,” 
DiMino  says.  “That  was  a  pretty  ground¬ 
breaking  event  because  it  got  a  lot  of  secu¬ 
rity  researcher  organizations  together  in 
one  room  to  say:  ‘We  have  a  real  threat  here. 
What  are  we  going  to  do  about  it?’  ” 

In  November,  security  vendor  FireEye 
scored  another  coup  by  knocking  out  (at 
least  temporarily)  the  well-known  Mega-D 
botnet.  As  DiMino  says,  “While  the  jury  is 
still  out  on  the  overall  effect  of  this  take¬ 
down,  it’s  a  great  example  of  how  a  care¬ 
fully  coordinated  and  comprehensive  plan 
can  achieve  success.”  ■ 


Reach  Senior  Editor  Joan  Goodchild  at 
jgoodchild@cxo.com. 
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[  cso  view] 

By  Ariel  Silverstone,  CISSP 


Clearer  Definition, 

New  Metrics  for  Cloud  Security 

Ariel  Silverstone  continues  his  series  on  how  to  manage 
and  secure  cloud  computing  technology 


Since  publication  of  my  first 
article  — “Cloud  Security: 
Danger  (and  Opportunity) 
Ahead,”  at  www.csoonline.com/ 
article /49296y~\\.  seems  like 
new  information  and  “cloud  solutions” 
have  been  appearing  daily.  I’m  gratified, 
for  example,  to  see  that  NIST,  the  National 
Institute  of  Standards  and  Technology,  has 
published  its  15th  draft  on  cloud  comput¬ 
ing  (see  http://csrc.nist.gov/groups/ 
SNS/cloud-computing/),  and  that  it 
agreed  with  much  of  the  definition 
I  proposed  in  the  previous  article: 
“Service-based  data  processing  and 
storage  capability  which  is  flexible, 
extensible  and  virtual.” 

NIST  suggested  that  cloud  com¬ 
puting  has  the  following  salient 
characteristics:  “On-demand  self- 
service,  based  upon  ubiquitous 
network  access,  using  location- 
independent  resource  pooling;  fea¬ 
ture  rapid  elasticity  and  provide  a 
measured  service.” 

It’s  interesting  to  note  that  NIST 
specifically  called  out  the  piece 
about  the  service  having  to  be  measured.  I 
wholeheartedly  agree  and  take  this  to  be  a 
step  in  the  maturity  of  cloud  computing. 

Security  Models 

The  Jericho  Forum  proposed  an  interest¬ 
ing  approach  to  cloud  computing  security. 
Starting  with  a  description  of  cloud  layers, 
it  allows  us  to  envision  the  problem. 

Here,  the  forum  proposed  that  security 
(and  identity  management)  are  elements 
that  cross  all  layers  and  in  effect  provide 
a  design  they  call  collaboration-oriented 
architecture. 

Once  this  foundation  has  been  laid,  the 


forum  defined  cloud  security  as  a  cube¬ 
shaped  model  that  highlights  various  pos¬ 
sibilities  of  architecture.  The  one  addressed 
here  is,  of  course,  the  outsourced/extemal/ 
de-parameterized  option. 

At  about  the  same  time,  the  Cloud 
Security  Alliance,  of  which  I  am  a  member, 
designed  a  not-too-different  view.  The  CSA 
broke  down  cloud  computing  into  three 
delivery  types: 


1.  Infrastructure  as  a  service  (laaS) 

2.  Platform  as  a  service  (PaaS) 

3.  Software  as  a  service  (SaaS) 

It  then  proceeded  to  define  these  cloud 
consumption  models: 

1.  Private 

2.  Public 

3.  Managed 

4.  Hybrid 

The  CSA’s  model  of  service  delivery 
stacks,  however,  is  very  complicated. 

While  I  do  not  disagree  with  its  refer¬ 
ence  model,  I  find  it  to  be  exceedingly  com¬ 
plex.  So  allow  me  here  to  define  the  problem 
statement  a  bit  differently. 


Let’s  expand  on  three  basic  tenets  of 
security: 

1.  Confidentiality 

2.  Availability 

3.  Integrity 

Clearly,  in  the  case  of  cloud  computing, 
and  especially  in  the  public/external  case, 
we  no  longer  have  any  control.  Once  the  bits 
“leave  our  network,”  control  lies  elsewhere. 
Losing  one  control  typically  mandates  an 
increase  in  the  other  controls. 

Here,  we  have  another  set  of 
problems.  Let’s  explore  the  remain¬ 
ing  controls. 

Confidentiality 

Typically,  we  handle  confidentiality 
through  the  use  of  technologies  such 
as  encryption  and  access  control. 
We  can  still  encrypt,  but  imagine 
what  happens  to  a  large  data  set.  It 
has  to  be  sent,  or  assembled,  in  the 
cloud,  remain  there  in  an  encrypted 
form  and  be  transferred  to  us  for 
processing. 

Once  the  data  is  at  our  location, 
we  have  to  decrypt  it,  perform  the 
operations  needed,  then  re-encrypt  and 
resend  to  the  cloud.  Doable,  yes.  But  the 
performance  tax  here  is  huge.  While  today’s 
routers  and  servers  no  longer  have  their 
performance  brought  down  to  one-sixth  by 
encryption,  we  still  pay  a  heavy  price. 

One  other  element  of  confidentiality  is 
the  ability  to  destroy  data.  In  a  cloud  that 
we  do  not  own,  and  on  storage  media  that 
we  do  not  control,  there  is  a  high  prob¬ 
ability  that  the  same  media  could  be  used 
for  other  purposes.  These  storage  buckets 
are  dynamic,  and  the  service/platform/ 
application  provider  might  allocate  them 
to  other  users. 
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This  sharing  and,  in  many  cases, 
repeated  sharing  of  storage  media  leads  to 
the  need  for  assured  destruction.  We  must 
follow  a  strict  policy  that  states  how  long 
data  is  to  be  kept,  when  and  by  whom  it 
should  be  destroyed,  and  how  such  destruc¬ 
tion  will  be  verified.  Since  degaussing  tapes 
and  shredding  CDs  is  out  of  the  question, 
we  must  employ  more  agile  software-based 
(or,  dare  we  say,  hardware-based)  methods 
to  ensure  that  destruction. 

This  question  becomes  infinitely  more 
complicated  when  we  consider  that  data  at 
rest  does  not  necessarily  “rest”  on  a  certain 
part  of  a  certain  hard  drive.  The  data  can, 
and  usually  does,  move  between  storage 
locations  on  the  drives.  The  onus  is  still  on 
us  to  ensure  confidentiality,  but  we  don’t 
manage  the  drives.  The  only  practical  solu¬ 
tion  here  is  to  demand  regular  scouring  of 
storage  media  from  the  service  providers. 
But  is  such  a  requirement  feasible? 

Finally,  lest  someone  think  I  am  only 
talking  about  the  storage  aspect  of  cloud 
computing,  the  above  discussion  is  easily 
applicable  to  processing  in  a  cloud  as  well. 

Availability 

When  dealing  with  a  cloud  computing 
resource,  we  are  at  the  mercy  of  the  net¬ 
work,  the  remote  server  and  whatever  con¬ 
trols  are  applicable  along  the  way,  be  they 
host-  or  network-related. 

Yes,  we  always  were  at  the  mercy  of  such 
risks,  but  we  owned  them  before. 

At  what  point  does  the  enterprise  take 
notice?  As  we  can  see  from  recent  outages  at 
Google  and  elsewhere,  users  are  very  sensi¬ 
tive  when  it  comes  to  the  availability  of  the 
information  they  require,  and  rightly  so. 

Even  when  taking  steps  to  “ensure” 
access,  which  in  reality  translates  into 
reducing  exposure  to  this  particular  risk, 
we  have  typically  resorted  to  building 
redundancy  into  the  system. 

Here  that  would  presumably  add  lines, 
servers,  networking  equipment  and  per¬ 
sonnel.  Doable,  but  at  what  cost?  What 
does  the  complexity  of  redundancy  mean 
to  an  organization?  What  is  the  true  cost  of 
operations? 

Let’s  look  at  an  example:  We  have  a  vol¬ 
ume  of  data  that  stretches  at  times  by  a  factor 
of  to,  so  cloud  computing  seems  like  the  per¬ 
fect  solution.  Here  is  what  might  happen: 

1.  We  ask  the  cloud  service  provider  for 


an  availability  in  data  storage  bursting.  We 
will  estimate  this  payment  at  10  percent  of 
our  regular  cloud  computing  cost. 

2.  We  ask  our  network  services  pro¬ 
vider  to  create  another  redundant  and 
highly  available  path  to  the  cloud  service 
provider.  We  will  estimate  that  cost  at  25 
percent  of  our  regular  data  communica¬ 
tions  cost. 

3.  And  now  we  must  consider  what  we 


are  to  do  if  such  a  data  burst  occurs  when 
we  have  no  availability  to  send  it  to  the 
cloud.  Are  we  going  to  dispose  of  it?  Cease 
operations?  No,  and  no.  So  here  we  must 
plan  for  (at  least)  the  storage  of  such  data, 
regardless  of  whether  we  use  cloud  com¬ 
puting  services. 

Integrity 

We  can  detect  changes  after  they  were  made. 
From  hashing  to  redundancy  checks,  from 
digital  signatures  to  trip-wiring,  we  are  able 
to  ascertain  that  a  change  has  occurred.  But 
we  can  no  longer  prevent  changes. 

The  bastion  of  defense-in-depth  has 
crumbled  when  we  talk  about  cloud 
computing. 

We  do  not  own  the  moats,  the  walls  or 
the  doors.  Accepting  data  without  verifica¬ 
tion  should  be  unthinkable,  but  verifying 
all  inbound  data  will  be  complex  and  costly, 
adding  yet  another  layer  to  the  mix  of  tech¬ 
nologies  and  methodologies  that  we  must 
wrestle  with. 

Indeed,  the  unchecked  cloud  could  lead 
to  a  wave  of  new  attacks  aimed  directly  at 
data  whose  guardians  (by  virtue  of  pos¬ 
session)  are  primarily  motivated  to  speed 
it  on  its  way  rather  than  to  protect  it  from 
change. 

Cloud  computing  could  be  a  gold  mine 
for  people  designing  man-in-the-middle 
attacks,  too. 

While  most  hosting  companies  will 
boast  of  their  monitoring  and  security,  few, 


if  any,  could  assure  you  that  they  have  never 
been  compromised. 

They  can  both  alter  the  data  and  ensure 
that  it,  and  associated  payloads,  make  their 
way  to  the  intended  destination. 

So  even  if  we  are  the  most  well-mean¬ 
ing  CSOs,  and  the  furthest  thing  from  our 
minds  is  flouting  the  law,  we  are  faced  with 
a  few  obstacles.  Here  are  a  few,  in  no  par¬ 
ticular  order: 


1.  How  do  we  comply  with  breach  noti¬ 
fication  laws? 

2.  What  happens  if  we  have  data  regard¬ 
ing  an  EU  citizen? 

3.  What  must  we  do  when  we  disclose 
risk  information  to  auditors?  To  the  Securi¬ 
ties  and  Exchange  Commission? 

4.  How  do  we  comply  with  rules  related 
to  CALEA?  E-discovery?  Data  forensics? 

Lastly,  remember  that  data  has  a  life- 
cycle.  There  are  typically  mandates  that 
data  be  disposed  of  in  a  secure  manner. 
Remember  those  cloud  buckets?  Well, 
these  must  be  certifiably  erased  when  we 
are  done  with  their  utility.  How  do  we  do 
that  in  a  cloud? 

If  we  remember  the  example  we  used 
above,  authenticity  of  data  is  a  problem  that 
must  be  addressed. 

Sometimes  seen  as  a  combination  of 
nonrepudiation,  integrity  and  accountabil¬ 
ity,  authenticity  is  a  superset  that  defines 
the  reliability  we  assign  and  the  trust  we 
place  in  our  data. 

Should  data  in/from  a  cloud  be  seen  as 
less-trusted  data? 

If  so,  is  there  any  worth  to  it? 

Will  the  cloud  end  up  being  used  only 
for  data  we  couldn’t  care  less  about? 

Only  time  will  tell.  ■ 


Ariel  Silverstone  is  a  veteran  of  the  Israeli 
Defense  Forces  with  experience  in  physical  and 
information  security,  and  is  a  regular  contribu¬ 
tor  to  CSO  magazine. 


The  cloud  unchecked  could  lead  to  a  wave 
of  new  attacks  aimed  directly  at  data  whose 
guardians  are  not  incentivized  to  protect  it 
Tom  change,  only  mostly  to  be  able  to  speed 
it  on  its  way. 
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The  CSO  Holiday  Gift  Guide 

Tired  of  bad  ties,  scarves  and  fruitcake?  Let  your  loved  ones 
know  what  a  busy  security  professional  really  needs. 


Italian 
Bespoke 
Dress  Shirt 

Woven  150-thread-count 
blend  of  Egyptian  cotton 
and  Kevlar.  Bulletproof, 
but  sleeves  still  roll  up 
easily.  (Plus:  Armpits 
don’t  show  sweat!) 
Giraffe  or  camel. 


The 

Insider/Out 

This  pattern-matching 
black-box  marvel  scrutinizes, 
combines  and  correlates 
events  and  alerts  across 
network  and  physical 
perimeters,  video  analytics, 
background-check  services, 
credit  ratings,  social  media 
sites,  high  school  yearbooks 
and  more-all  without 
sacrificing  a  whit  of  your 
employees’  privacy!  Black  or  a 
slightly  lighter  shade  of  black. 


ViperSix 

Precision 

Chronograph 

There’s  nothing  “second 
hand”  about  this  elegant 
watch.  Swiss  quartz 
accuracy,  boardroom 
style.  New  investigations 
feature:  Can  stop  time 
(beta).  Platinum  or  gold. 
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Megacalc  Ultra-  SX299 
Number  Cruncher 


Takes  bad  data,  runs  it  through  immature  algorithms  and  outputs  ROI 
numbers  for  which  you  will  be  held  absolutely  accountable.  Grey  or  gray. 


Two-Factor  Authentication 


1  User  enters  username  and  password. 


Get  the  strong  two-factor  security  you  need 
to  protect  against  today’s  sophisticated 
threats  without  the  hassle  and  cost  of 
yesterday’s  technology. 

•  Easy  to  Setup,  Manage,  and  Use 

•  Strong  Out-of-Band  Authentication 

•  Rapid  Regulatory  Compliance 

•  Far  Less  Expensive  Than  Tokens 


Instantly,  user  receives  a  call,  simply  answers 
and  presses  #  (or  a  PIN )  to  complete  the  login. 
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“Even  if  a  hacker  has  your  password,  your  account 
remains  secure.”  -  New  York  Times 


>PhoneFactor 
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www.phonefactor.com  |  1.877.NoToken 
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VeriSign* 


FORTUNE  500 
COMPANIES  DON’T 
HOOSE  SECURITY 
ON  A  WHIM. 


https://www.imagineyoursitehere.com 
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Over  95  percent  of  the  Fortune  500  choose  VeriSign  SSL  as  their  online  security  of  choice. 

Why?  Because  VeriSign  can  enable  the  strongest  encryption  available  and  has  the  most 
rigorous  authentication  standards.  Or  because  VeriSign®  Extended  Validation  (EV)  SSL  offers  the 
most  visible  site  security  available  by  displaying  the  green  address  bar  in  high-security  browsers, 
which  is  also  the  most  effective  defense  against  phishing  scams.  Add  it  up,  and  it’s  easy  to  see 
why  industry  leaders  choose  VeriSign— the  most  trusted  symbol  of  security  on  the  Web. 


It’s  powerful.  It’s  the  most  visible.  Learn  more  about  protecting 
your  site  and  your  customers  at  VeriSign.com/EVSSLPaper. 
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